1
0
mirror of https://github.com/django/django.git synced 2024-12-22 17:16:24 +00:00
Commit Graph

13448 Commits

Author SHA1 Message Date
Natalia
fe4a0bbe20 Fixed CVE-2024-39330 -- Added extra file name validation in Storage's save method.
Thanks to Josh Schneier for the report, and to Carlton Gibson and Sarah
Boyce for the reviews.
2024-07-09 09:21:19 -03:00
Michael Manfre
5d86458579 Fixed CVE-2024-39329 -- Standarized timing of verify_password() when checking unusuable passwords.
Refs #20760.

Thanks Michael Manfre for the fix and to Adam Johnson for the review.
2024-07-09 09:21:19 -03:00
Adam Johnson
d666457453 Fixed CVE-2024-38875 -- Mitigated potential DoS in urlize and urlizetrunc template filters.
Thank you to Elias Myllymäki for the report.

Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2024-07-09 09:21:19 -03:00
jason_bruce
af84bcc8d1 Fixed #35580 -- Allowed related fields referencing auto-created through models. 2024-07-09 13:50:12 +02:00
wookkl
759abc4daf Fixed #35413 -- Made unsupported lookup error message more specific. 2024-07-09 09:15:38 +02:00
Mark Gensler
1005c2abd1 Fixed #35560 -- Made Model.full_clean() ignore GeneratedFields for constraints.
Accessing generated field values on unsaved models caused a crash when
validating CheckConstraints and UniqueConstraints with expressions.
2024-07-04 11:45:15 +02:00
Jake Howard
53e674d574 Fixed #35520 -- Avoided opening transaction for read-only ModelAdmin requests. 2024-07-04 11:38:58 +02:00
Jacob Walls
31837dbcb3 Fixed #35569 -- Improved wording of invalid ForeignKey error message. 2024-07-04 11:35:03 +02:00
Simon Charette
6d220963fa Fixed #28900 -- Propagated all selected fields to combinator queries.
Previously, only the selected column aliases would be propagated and
annotations were ignored.
2024-07-03 16:36:25 +02:00
Simon Charette
65ad4ade74 Refs #28900 -- Made SELECT respect the order specified by values(*selected).
Previously the order was always extra_fields + model_fields + annotations with
respective local ordering inferred from the insertion order of *selected.

This commits introduces a new `Query.selected` propery that keeps tracks of the
global select order as specified by on values assignment. This is crucial
feature to allow the combination of queries mixing annotations and table
references.

It also allows the removal of the re-ordering shenanigans perform by
ValuesListIterable in order to re-map the tuples returned from the database
backend to the order specified by values_list() as they'll be in the right
order at query compilation time.

Refs #28553 as the initially reported issue that was only partially fixed
for annotations by d6b6e5d0fd.

Thanks Mariusz Felisiak and Sarah Boyce for review.
2024-07-03 16:36:25 +02:00
Mariusz Felisiak
8719a6181e
Refs #22712 -- Corrected deprecation of "all" argument in django.contrib.staticfiles.finders.find().
Features deprecated in Django 5.2 should be removed in Django 6.1.
2024-06-28 08:39:55 -03:00
Andreu Vallbona
0fdcf1029c Fixed #22712 -- Avoided name shadowing of "all" in django.contrib.staticfiles.finders.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2024-06-27 23:37:12 -03:00
Salvo Polizzi
dfac15d570 Fixed #35517, Refs #35515 -- Improved test coverage of shell command. 2024-06-27 16:42:55 +02:00
nessita
e56a32b89b
Fixed 35561 -- Made *args and **kwargs parsing more strict in Model.save()/asave(). 2024-06-26 12:13:17 -03:00
Sarah Boyce
e510bb1ab1
Fixed #35558 -- Increased inline H3 headers color prominence in admin change page. 2024-06-25 14:03:21 -03:00
Adam Johnson
28522c3c8d
Fixed #35554, Refs #35060 -- Corrected deprecated *args parsing in Model.save()/asave().
The transitional logic added to deprecate the usage of *args for
Model.save()/asave() introduced two issues that this branch fixes:
 * Passing extra positional arguments no longer raised TypeError.
 * Passing a positional but empty update_fields would save all fields.

Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2024-06-25 13:12:10 -03:00
Sarah Boyce
f1705c8780 Fixed #35545, Refs #32833 -- Fixed ContentTypeManager.get_for_models() crash in CreateModel migrations.
Thank you to Csirmaz Bendegúz for the report and Simon Charettes for the review.
2024-06-24 10:20:11 +02:00
Tim Graham
7ba2a0db20
Fixed Number.__str__() crash when float/decimal_value is None in expressions tests models. 2024-06-21 16:51:41 -03:00
Ronny Vedrilla
5fef6d2445 Fixed #35528 -- Added EmailMultiAlternatives.body_contains() helper method. 2024-06-21 12:00:56 +02:00
Mariusz Felisiak
20c2d625d3 Refs #35074 -- Avoided failed attempts to remove spatial indexes on nullable fields on MySQL.
MySQL doesn't support spatial indexes on NULL columns, so there is no
point in removing them.
2024-06-20 11:44:44 +02:00
Jake Howard
aba0e541ca Fixed #35537 -- Changed EmailMessage.attachments and EmailMultiAlternatives.alternatives to use namedtuples.
This makes it more descriptive to pull out the named fields.
2024-06-20 09:43:40 +02:00
Baptiste Mispelon
62300b81cf Fixed #12978 -- Added support for RSS feed stylesheets. 2024-06-18 17:25:43 +02:00
stefan.ivic
ce1ad98565 Fixed #35505 -- Added extrabody block to admin/base.html. 2024-06-18 16:49:53 +02:00
Mariusz Felisiak
a0c44d4e23 Simplified OperationTestCase.alter_gis_model() test hook a bit.
This avoids passing "blank=False" and "srid=4326" to field classes,
which are the default values, and removes special treatment for the
"blank" parameter.
2024-06-18 12:03:57 +02:00
Alexander Lötvall
38ad710aba Fixed #35483 -- Added NUL (0x00) character validation to ModelChoiceFields.
Applied the ProhibitNullCharactersValidator to ModelChoiceField and ModelMultipleChoiceField.

Co-authored-by: Viktor Paripás <viktor.paripas@gmail.com>
Co-authored-by: Vasyl Dizhak <vasyl@dizhak.com>
Co-authored-by: Arthur Vasconcelos <vasconcelos.arthur@gmail.com>
2024-06-17 12:19:26 +02:00
Mariusz Felisiak
fa78481467 Refs #34881 -- Fixed OperationTests.test_rename_m2m_field_with_2_references() test on Oracle. 2024-06-14 19:52:09 +02:00
Mariusz Felisiak
4ee68bb4f5 Fixed mail.tests.MailTests.test_backend_arg() test on Python 3.13+.
There is no point in asserting Python error messages.
2024-06-14 13:20:54 +02:00
Anže Pečar
e99187e5c9 Fixed #34881 -- Fixed a crash when renaming a model with multiple ManyToManyField.through references on SQLite.
Thank you to dennisvang for the report and Jase Hackman for the test.

Co-authored-by: Jase Hackman <jase.hackman@zapier.com>
2024-06-13 17:49:22 +02:00
Madalin Popa
d28626ecf8 Fixed #35488 -- Fixed BaseModelFormSet.validate_unique() crash due to unhashable type. 2024-06-13 16:21:53 +02:00
George Y. Kussumoto
2a32b23382 Fixed #35417 -- Updated BaseContext.new() with values to create a context that can be flattened. 2024-06-13 14:22:40 +02:00
Devin Cox
719a42b589 Fixed #34789 -- Prevented updateRelatedSelectsOptions from
adding entries to filter_horizontal chosen box.

Co-authored-by: yokeshwaran1 <yokesh440@yahoo.com>
2024-06-12 13:09:04 +02:00
Fabian Braun
339977d444 Fixed #35477 -- Corrected 'required' errors in auth password set/change forms.
The auth forms using SetPasswordMixin were incorrectly including the
'This field is required.' error when additional validations (e.g.,
overriding `clean_password1`) were performed and failed.
This fix ensures accurate error reporting for password fields.

Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2024-05-30 16:31:01 -03:00
Jake Howard
ff308a0604
Fixed 35467 -- Replaced urlparse with urlsplit where appropriate.
This work should not generate any change of functionality, and
`urlsplit` is approximately 6x faster.

Most use cases of `urlparse` didn't touch the path, so they can be
converted to `urlsplit` without any issue. Most of those which do use
`.path`, simply parse the URL, mutate the querystring, then put them
back together, which is also fine (so long as urlunsplit is used).
2024-05-29 10:48:27 -03:00
Carlton Gibson
f4a08b6ddf
Refs #35059 -- Used asyncio.Event in ASGITest.test_asyncio_cancel_error to enforce specific interleaving.
Sleep call leads to a hard to trace error in CI. Using an Event is
more deterministic, and should be less prone to environment
variations.

Bug in 11393ab131.
2024-05-28 14:36:34 -03:00
Jacob Walls
99f23eaabd Fixed #35469 -- Removed deferred SQL to create index removed by AlterField operation. 2024-05-28 12:44:07 +02:00
Simon Törnqvist
d3a7ed5bcc Fixed #35443 -- Changed ordinal to return negative numbers unchanged.
Previously, `-1` was converted to `"-1th"`. This has been updated to
return negative numbers "as is", so that for example `-1` is
converted to `"-1"`. This is now explicit in the docs.

Co-authored-by: Martin Jonson <artin.onson@gmail.com>
2024-05-27 10:54:25 +02:00
Mariusz Felisiak
b049bec7cf Fixed #35479 -- Dropped support for PostgreSQL 13 and PostGIS 3.0. 2024-05-27 09:49:25 +02:00
Tim Graham
bcbc4b9b8a Fixed typo in migrations test name. 2024-05-23 17:19:48 +02:00
Sarah Boyce
7e39ae5c8c Fixed #35472 -- Used temporary directory in test_imagefield.NoReadTests. 2024-05-22 16:37:23 -03:00
Natalia
04a208d7f1 Increased the default PBKDF2 iterations for Django 5.2. 2024-05-22 15:44:07 -03:00
Natalia
3a748cd0f5 Advanced deprecation warnings for Django 5.2. 2024-05-22 15:44:07 -03:00
Willem Van Onsem
2995aeab56 Fixed #35393 -- Added excluded pk as a hidden field to the inline admin. 2024-05-22 10:31:24 +02:00
Hisham Mahmood
c7fc9f20b4 Fixed #31405 -- Added LoginRequiredMiddleware.
Co-authored-by: Adam Johnson <me@adamj.eu>
Co-authored-by: Mehmet İnce <mehmet@mehmetince.net>
Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2024-05-22 08:51:17 +02:00
Marijke Luttekes
e4a693f50a Fixed #35189 -- Improved admin collapsible fieldsets by using <details> elements.
This work improves the accessibility of the add and change pages in the
admin site by adding <details> and <summary> elements to the collapsible
fieldsets. This has the nice side effect of no longer requiring custom
JavaScript helpers to implement the fieldsets' show/hide capabilities.

Thanks to James Scholes for the accessibility advice, and to Sarah Boyce
and Tom Carrick for reviews.

Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2024-05-22 00:13:55 -03:00
Marijke Luttekes
01ed59f753 Refs #35189 -- Improved admin fieldset's accessibility by setting aria-labelledby.
Before this change, HTML <fieldset> elements in the admin site did not
have an associated label to describe them. This commit defines a unique
HTML id for the heading labeling a fieldset, and sets its
aria-labelledby property to link the heading with the fieldset.
2024-05-22 00:13:55 -03:00
John Parton
9c5fe93349 Fixed #35139 -- Prevented file read after ImageField is saved to storage. 2024-05-22 00:25:56 +02:00
Berker Peksag
4971a9afe5 Fixed #18119 -- Added a DomainNameValidator validator.
Thanks Claude Paroz for the review.

Co-authored-by: Nina Menezes <77671865+nmenezes0@users.noreply.github.com>
2024-05-21 23:11:12 +02:00
Adam Johnson
b9838c65ec Fixed #35405 -- Converted get_cache_name into a cached property in FieldCacheMixin.
FieldCacheMixin is used by related fields to track their cached values.
This work migrates get_cache_name() to be a cached property to optimize
performance by reducing unnecessary function calls when working with
related fields, given that its value remains constant.

Co-authored-by: Simon Charette <charette.s@gmail.com>
Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2024-05-21 16:19:29 -03:00
Ryan Hiebert
c201014e85 Removed hardcoded docs version in csrf template. 2024-05-21 11:03:39 +02:00
Ben Cail
0b33a3abc2 Fixed #35326 -- Added allow_overwrite parameter to FileSystemStorage. 2024-05-21 07:28:12 +02:00