mirror of
https://github.com/django/django.git
synced 2025-01-12 03:15:47 +00:00
d3ba8cb88b
Although this changes nothing at a functional level, this is BACKWARDS INCOMPATIBLE from a UX perspective for anyone that wants passwords to be reflected to the user on form failure. See the 1.3 release notes for details. git-svn-id: http://code.djangoproject.com/svn/django/trunk@13498 bcc190cf-cafb-0310-a4f2-bffc1f526a37
57 lines
1.9 KiB
Plaintext
57 lines
1.9 KiB
Plaintext
.. _releases-1.3:
|
|
|
|
============================================
|
|
Django 1.3 release notes - UNDER DEVELOPMENT
|
|
============================================
|
|
|
|
This page documents release notes for the as-yet-unreleased Django
|
|
1.3. As such, it's tentative and subject to change. It provides
|
|
up-to-date information for those who are following trunk.
|
|
|
|
Django 1.3 includes a number of nifty `new features`_, lots of bug
|
|
fixes and an easy upgrade path from Django 1.2.
|
|
|
|
.. _new features: `What's new in Django 1.3`_
|
|
|
|
.. _backwards-incompatible-changes-1.3:
|
|
|
|
Backwards-incompatible changes in 1.3
|
|
=====================================
|
|
|
|
PasswordInput default rendering behavior
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
Prior to Django 1.3, a :class:`~django.forms.PasswordInput` would render
|
|
data values like any other form. If a form submission raised an error,
|
|
the password that was submitted would be reflected to the client as form
|
|
data populating the form for resubmission.
|
|
|
|
This had the potential to leak passwords, as any failed password
|
|
attempt would cause the password that was typed to be sent back to the
|
|
client.
|
|
|
|
In Django 1.3, the default behavior of
|
|
:class:`~django.forms.PasswordInput` is to suppress the display of
|
|
password values. This change doesn't alter the way form data is
|
|
validated or handled. It only affects the user experience with
|
|
passwords on a form when they make an error submitting form data (such
|
|
as on unsuccessful logins, or when completing a registration form).
|
|
|
|
If you want restore the pre-Django 1.3 behavior, you need to pass in a
|
|
custom widget to your form that sets the ``render_value`` argument::
|
|
|
|
class LoginForm(forms.Form):
|
|
username = forms.CharField(max_length=100)
|
|
password = forms.PasswordField(widget=forms.PasswordInput(render_value=True))
|
|
|
|
|
|
Features deprecated in 1.3
|
|
==========================
|
|
|
|
|
|
|
|
What's new in Django 1.3
|
|
========================
|
|
|
|
|