Added postgres.E005 to validate 'django.contrib.postgres' is in INSTALLED_APPS
when using:
* PostgreSQL-specific fields (ArrayField, HStoreField, range fields, SearchVectorField),
* PostgreSQL indexes (PostgresIndex and all subclasses), and
* ExclusionConstraint
The check provides immediate feedback during system checks rather than failing
later with obscure runtime and database errors.
Thanks to Simon Charette and Sarah Boyce for reviews.
Thanks to Jacob Walls for the report and previous iterations of this
fix, to Simon Charette for the logging formatter idea, and to Tim Graham
for testing and ensuring that 3rd party backends remain compatible.
This partially reverts d8f093908c504ae0dbc39d3f5231f7d7920dde37.
Refs #36112, #35448.
Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
Value(None, JSONField()) when used in When.condition incorrectly resolved with
for_save=True, resulting in the value being serialized as SQL NULL instead of
JSON null.
Regression in c1fa3fdd040718356e5a3b9a0fe699d73f47a940.
Thanks to Thomas McKay for the report, and to David Sanders and Simon Charettes
for the review.
Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
When matching which entry in the `Accept` header should be used for
a given media type, the specificity matters. However once those are
resolved, only the quality matters when selecting preference.
Regression in c075508b4de8edf9db553b409f8a8ed2f26ecead.
Thank you to Anders Kaseorg for the report.
Refactored GIS-related JavaScript initialization to eliminate inline
scripts from templates. Added support for specifying a base layer using
the new `base_layer_name` attribute on `BaseGeometryWidget`, allowing
custom map tile providers via user-defined JavaScript.
As a result, the `gis/openlayers-osm.html` template was removed.
Thanks Sarah Boyce for reviews.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
The "q" key was removed while addressing ticket #36411. Despite
`MediaType.params` is undocumented and considered internal, it was used
in third-party projects (Zulip reported breakage), so this work restored
the `q` key in `params`.
Thanks Anders Kaseorg for the report.
Regression in c075508b4de8edf9db553b409f8a8ed2f26ecead.
The for_save flag wasn't properly propagated when resolving expressions, which
prevented get_db_prep_save() from being called in some cases. This affected
fields like JSONField where None would be saved as JSON null instead of SQL NULL.
Regression in 00c690efbc0b10f67924687f24a7b30397bf47d9.
Thanks to David Sanders and Simon Charette for reviews.
Co-authored-by: Adam Johnson <me@adamj.eu>
Migrated remaining response-related logging to use the `log_response()`
helper to avoid potential log injection, to ensure untrusted values like
request paths are safely escaped.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Avoided repeatedly templating the URL and hoisted Person creation to
setUpTestData in AssertNumQueriesContextManagerTests to repeat the same
pattern as in CaptureQueriesContextManagerTests.
Suitably crafted requests containing a CRLF sequence in the request
path may have allowed log injection, potentially corrupting log files,
obscuring other attacks, misleading log post-processing tools, or
forging log entries.
To mitigate this, all positional formatting arguments passed to the
logger are now escaped using "unicode_escape" encoding.
Thanks to Seokchan Yoon (https://ch4n3.kr/) for the report.
Co-authored-by: Carlton Gibson <carlton@noumenal.es>
Co-authored-by: Jake Howard <git@theorangeone.net>
HttpRequest.get_preferred_type() did not account for parameters in
Accept header media types (e.g., "text/vcard; version=3.0"). This caused
incorrect content negotiation when multiple types differed only by
parameters, reducing specificity as per RFC 7231 section 5.3.2
(https://datatracker.ietf.org/doc/html/rfc7231.html#section-5.3.2).
This fix updates get_preferred_type() to treat media types with
parameters as distinct, allowing more precise and standards-compliant
matching.
Thanks to magicfelix for the report, and to David Sanders and Sarah
Boyce for the reviews.
In the admin's filter_horizontal widget, optional action buttons like
"Choose all", "Remove all", etc. were changed from `<a>` to `<button>`
elements in #34619, but without specifying `type="button"`. As a result,
when pressing Enter while focused on a form input, these buttons could
be triggered and intercept form submission.
Explicitly set `type="button"` on these control buttons to prevent them
from acting as submit buttons.
Thanks Antoliny Lee for the quick triage and review.
Regression in 857b1048d53ebf5fc5581c110e85c212b81ca83a.
