Softpedia >Mac >Developer Tools >Django >  Changelog

Django Changelog

What's new in Django 1.9.7

Jun 21, 2016
  • Bug fixes:
  • Removed the need for the request context processor on the admin login page to fix a regression in 1.9 (#26558).
  • Fixed translation of password validators’ help_text in forms (#26544).
  • Fixed a regression causing the cached template loader to crash when using lazy template names (#26603).
  • Fixed on_commit callbacks execution order when callbacks make transactions (#26627).
  • Fixed HStoreField to raise a ValidationError instead of crashing on non-dictionary JSON input (#26672).
  • Fixed dbshell crash on PostgreSQL with an empty database name (#26698).
  • Fixed a regression in queries on a OneToOneField that has to_field and primary_key=True (#26667).

New in Django 1.9.6 (Jun 2, 2016)

  • Bug fixes:
  • Added support for relative path redirects to the test client and to SimpleTestCase.assertRedirects() because Django 1.9 no longer converts redirects to absolute URIs (#26428).
  • Fixed TimeField microseconds round-tripping on MySQL and SQLite (#26498).
  • Prevented makemigrations from generating infinite migrations for a model field that references a functools.partial (#26475).
  • Fixed a regression where SessionBase.pop() returned None rather than raising a KeyError for nonexistent values (#26520).
  • Fixed a regression causing the cached template loader to crash when using template names starting with a dash (#26536).
  • Restored conversion of an empty string to null when saving values of GenericIPAddressField on SQLite and MySQL (#26557).
  • Fixed a makemessages regression where temporary .py extensions were leaked in source file paths (#26341).

New in Django 1.9.2 (Feb 23, 2016)

  • Security issue: User with “change” but not “add” permission can create objects for ModelAdmin’s with save_as=True:
  • If a ModelAdmin uses save_as=True (not the default), the admin provides an option when editing objects to “Save as new”. A regression in Django 1.9 prevented that form submission from raising a “Permission Denied” error for users without the “add” permission.
  • Backwards incompatible change: .py-tpl files rewritten in project/app templates:
  • The addition of some Django template language syntax to the default app template in Django 1.9 means those files now have some invalid Python syntax. This causes difficulties for packaging systems that unconditionally byte-compile *.py files.
  • To remedy this, a .py-tpl suffix is now used for the project and app template files included in Django. The .py-tpl suffix is replaced with .py by the startproject and startapp commands. For example, a template with the filename manage.py-tpl will be created as manage.py.
  • Please file a ticket if you have a custom project template containing .py-tpl files and find this behavior problematic.
  • Bug fixes:
  • Fixed a regression in ConditionalGetMiddleware causing If-None-Match checks to always return HTTP 200 (#26024).
  • Fixed a regression that caused the “user-tools” items to display on the admin’s logout page (#26035).
  • Fixed a crash in the translations system when the current language has no translations (#26046).
  • Fixed a regression that caused the incorrect day to be selected when opening the admin calendar widget for timezones from GMT+0100 to GMT+1200 (#24980).
  • Fixed a regression in the admin’s edit related model popup that caused an escaped value to be displayed in the select dropdown of the parent window (#25997).
  • Fixed a regression in 1.8.8 causing incorrect index handling in migrations on PostgreSQL when adding db_index=True or unique=True to a CharField or TextField that already had the other specified, or when removing one of them from a field that had both, or when adding unique=True to a field already listed in unique_together (#26034).
  • Fixed a regression where defining a relation on an abstract model’s field using a string model name without an app_label no longer resolved that reference to the abstract model’s app if using that model in another application (#25858).
  • Fixed a crash when destroying an existing test database on MySQL or PostgreSQL (#26096).
  • Fixed CSRF cookie check on POST requests when USE_X_FORWARDED_PORT=True (#26094).
  • Fixed a QuerySet.order_by() crash when ordering by a relational field of a ManyToManyField through model (#26092).
  • Fixed a regression that caused an exception when making database queries on SQLite with more than 2000 parameters when DEBUG is True on distributions that increase the SQLITE_MAX_VARIABLE_NUMBER compile-time limit to over 2000, such as Debian (#26063).
  • Fixed a crash when using a reverse OneToOneField in ModelAdmin.readonly_fields (#26060).
  • Fixed a crash when calling the migrate command in a test case with the available_apps attribute pointing to an application with migrations disabled using the MIGRATION_MODULES setting (#26135).
  • Restored the ability for testing and debugging tools to determine the template from which a node came from, even during template inheritance or inclusion. Prior to Django 1.9, debugging tools could access the template origin from the node via Node.token.source[0]. This was an undocumented, private API. The origin is now available directly on each node using the Node.origin attribute (#25848).
  • Fixed a regression in Django 1.8.5 that broke copying a SimpleLazyObject with copy.copy() (#26122).
  • Always included geometry_field in the GeoJSON serializer output regardless of the fields parameter (#26138).
  • Fixed the contrib.gis map widgets when using USE_THOUSAND_SEPARATOR=True (#20415).
  • Made invalid forms display the initial of values of their disabled fields (#26129).

New in Django 1.9.1 (Jan 4, 2016)

  • Bug fixes:
  • Fixed BaseCache.get_or_set() with the DummyCache backend (#25840).
  • Fixed a regression in FormMixin causing forms to be validated twice (#25548, #26018).
  • Fixed a system check crash with nested ArrayFields (#25867).
  • Fixed a state bug when migrating a SeparateDatabaseAndState operation backwards (#25896).
  • Fixed a regression in CommonMiddleware causing If-None-Match checks to always return HTTP 200 (#25900).
  • Fixed missing varchar/text_pattern_ops index on CharField and TextField respectively when using AlterField on PostgreSQL (#25412).
  • Fixed admin’s delete confirmation page’s summary counts of related objects (#25883).
  • Added from __future__ import unicode_literals to the default apps.py created by startapp on Python 2 (#25909). Add this line to your own apps.py files created using Django 1.9 if you want your migrations to work on both Python 2 and Python 3.
  • Prevented QuerySet.delete() from crashing on MySQL when querying across relations (:ticket`25882`).
  • Fixed evaluation of zero-length slices of QuerySet.values() (#25894).
  • Fixed a state bug when using an AlterModelManagers operation (#25852).
  • Fixed TypedChoiceField change detection with nullable fields (#25942).
  • Fixed incorrect timezone warnings in custom admin templates that don’t have a data-admin-utc-offset attribute in the body tag. (#25845).
  • Fixed a regression which prevented using a language not in Django’s default language list (LANGUAGES) (#25915).
  • Avoided hiding some exceptions, like an invalid INSTALLED_APPS setting, behind AppRegistryNotReady when starting runserver (#25510). This regression appeared in 1.8.5 as a side effect of fixing #24704 and by mistake the fix wasn’t applied to the stable/1.9.x branch.
  • Fixed migrate --fake-initial detection of many-to-many tables (#25922).
  • Restored the functionality of the admin’s list_editable add and change buttons (#25903).
  • Fixed isnull query lookup for ForeignObject (#25972).
  • Fixed a regression in the admin which ignored line breaks in read-only fields instead of converting them to (#25465).
  • Fixed incorrect object reference in SingleObjectMixin.get_context_object_name() (#26006).
  • Made loaddata skip disabling and enabling database constraints when it doesn’t load any fixtures (#23372).
  • Restored contrib.auth hashers compatibility with py-bcrypt (#26016).
  • Fixed a crash in QuerySet.values()/values_list() after an annotate() and order_by() when values()/values_list() includes a field not in the order_by() (#25316).

New in Django 1.8.7 (Nov 29, 2015)

  • Fixed settings leak possibility in date template filter:
  • If an application allows users to specify an unvalidated format for dates and passes this format to the date filter, e.g. {{ last_updated|date:user_date_format }}, then a malicious user could obtain any secret in the application’s settings by specifying a settings key instead of a date format. e.g. "SECRET_KEY" instead of "j/m/Y".
  • To remedy this, the underlying function used by the date template filter, django.utils.formats.get_format(), now only allows accessing the date/time formatting settings.
  • Bug fixes:
  • Fixed a crash of the debug view during the autumn DST change when USE_TZ is False and pytz is installed.
  • Fixed a regression in 1.8.6 that caused database routers without an allow_migrate() method to crash (#25686).
  • Fixed a regression in 1.8.6 by restoring the ability to use Manager objects for the queryset argument of ModelChoiceField (#25683).
  • Fixed a regression in 1.8.6 that caused an application with South migrations in the migrations directory to fail (#25618).
  • Fixed a data loss possibility with Prefetch if to_attr is set to a ManyToManyField (#25693).
  • Fixed a regression in 1.8 by making gettext() once again return UTF-8 bytestrings on Python 2 if the input is a bytestring (#25720).
  • Fixed serialization of DateRangeField and DateTimeRangeField (#24937).
  • Fixed the exact lookup of ArrayField (#25666).
  • Fixed Model.refresh_from_db() updating of ForeignKey fields with on_delete=models.SET_NULL (#25715).
  • Fixed a duplicate query regression in 1.8 on proxied model deletion (#25685).
  • Fixed set_FOO_order() crash when the ForeignKey of a model with order_with_respect_to references a model with a OneToOneField primary key (#25786).
  • Fixed incorrect validation for PositiveIntegerField and PositiveSmallIntegerField on MySQL resulting in values greater than 4294967295 or 65535, respectively, passing validation and being silently truncated by the database (#25767).

New in Django 1.8.6 (Nov 12, 2015)

  • Bug fixes:
  • Fixed a regression causing ModelChoiceField to ignore prefetch_related() on its queryset (#25496).
  • Allowed “mode=memory” in SQLite test database name if supported (#12118).
  • Fixed system check crash on ForeignKey to abstract model (#25503).
  • Fixed incorrect queries when you have multiple ManyToManyFields on different models that have the same field name, point to the same model, and have their reverse relations disabled (#25545).
  • Allowed filtering over a RawSQL annotation (#25506).
  • Made the Concat database function idempotent on SQLite (#25517).
  • Avoided a confusing stack trace when starting runserver with an invalid INSTALLED_APPS setting (#25510). This regression appeared in 1.8.5 as a side effect of fixing #24704.
  • Made deferred models use their proxied model’s _meta.apps for caching and retrieval (#25563). This prevents any models generated in data migrations using QuerySet.defer() from leaking to test and application code.
  • Fixed a typo in the name of the strictly_above PostGIS lookup (#25592).
  • Fixed crash with contrib.postgres.forms.SplitArrayField and IntegerField on invalid value (#25597).
  • Added a helpful error message when Django and South migrations exist in the same directory (#25618).
  • Fixed a regression in URLValidator that allowed URLs with consecutive dots in the domain section (like http://example..com/) to pass (#25620).
  • Fixed a crash with GenericRelation and BaseModelAdmin.to_field_allowed (#25622).

New in Django 1.8.5 (Oct 20, 2015)

  • Bug fixes:
  • Made the development server’s autoreload more robust (#24704).
  • Fixed AssertionError in some delete queries with a model containing a field that is both a foreign and primary key (#24951).
  • Fixed AssertionError in some complex queries (#24525).
  • Fixed a migrations crash with GenericForeignKey (#25040).
  • Made translation.override() clear the overridden language when a translation isn’t initially active (#25295).
  • Fixed crash when using a value in ModelAdmin.list_display that clashed with a reverse field on the model (#25299).
  • Fixed autocompletion for options of non-argparse management commands (#25372).
  • Alphabetized ordering of imports in from django.db import migrations, models statement in newly created migrations (#25384).
  • Fixed migrations crash on MySQL when adding a text or a blob field with an unhashable default (#25393).
  • Changed Count queries to execute COUNT(*) instead of COUNT('*') as versions of Django before 1.8 did (#25377). This may fix a performance regression on some databases.
  • Fixed custom queryset chaining with values() and values_list() (#20625).
  • Moved the unsaved model instance assignment data loss check on reverse relations to Model.save() (#25160).
  • Readded inline foreign keys to form instances when validating model formsets (#25431).
  • Allowed using ORM write methods after disabling autocommit with set_autocommit(False) (#24921).
  • Fixed the manage.py test --keepdb option on Oracle (#25421).
  • Fixed incorrect queries with multiple many-to-many fields on a model with the same ‘to’ model and with related_name set to ‘+’ (#24505, #25486).
  • Fixed pickling a SimpleLazyObject wrapping a model (#25389).

New in Django 1.8.4 (Aug 19, 2015)

  • Denial-of-service possibility in logout() view by filling session store:
  • Previously, a session could be created when anonymously accessing the django.contrib.auth.views.logout() view (provided it wasn’t decorated with login_required() as done in the admin). This could allow an attacker to easily create many new session records by sending repeated requests, potentially filling up the session store or causing other users’ session records to be evicted.
  • The SessionMiddleware has been modified to no longer create empty session records.
  • Bug fixes:
  • Added the ability to serialize values from the newly added UUIDField (#25019).
  • Added a system check warning if the old TEMPLATE_* settings are defined in addition to the new TEMPLATES setting.
  • Fixed QuerySet.raw() so InvalidQuery is not raised when using the db_column name of a ForeignKey field with primary_key=True (#12768).
  • Prevented an exception in TestCase.setUpTestData() from leaking the transaction (#25176).
  • Fixed has_changed() method in contrib.postgres.forms.HStoreField (#25215, #25233).
  • Fixed the recording of squashed migrations when running the migrate command (#25231).
  • Moved the unsaved model instance assignment data loss check to Model.save() to allow easier usage of in-memory models (#25160).
  • Prevented varchar_patterns_ops and text_patterns_ops indexes for ArrayField (#25180).

New in Django 1.8.3 (Jul 13, 2015)

  • Denial-of-service possibility by filling session store:
  • In previous versions of Django, the session backends created a new empty record in the session storage anytime request.session was accessed and there was a session key provided in the request cookies that didn’t already have a session record. This could allow an attacker to easily create many new session records simply by sending repeated requests with unknown session keys, potentially filling up the session store or causing other users’ session records to be evicted.
  • The built-in session backends now create a session record only if the session is actually modified; empty session records are not created. Thus this potential DoS is now only possible if the site chooses to expose a session-modifying view to anonymous users.
  • As each built-in session backend was fixed separately (rather than a fix in the core sessions framework), maintainers of third-party session backends should check whether the same vulnerability is present in their backend and correct it if so.
  • Header injection possibility since validators accept newlines in input:
  • Some of Django’s built-in validators (EmailValidator, most seriously) didn’t prohibit newline characters (due to the usage of $ instead of \Z in the regular expressions). If you use values with newlines in HTTP response or email headers, you can suffer from header injection attacks. Django itself isn’t vulnerable because HttpResponse and the mail sending utilities in django.core.mail prohibit newlines in HTTP and SMTP headers, respectively. While the validators have been fixed in Django, if you’re creating HTTP responses or email messages in other ways, it’s a good idea to ensure that those methods prohibit newlines as well. You might also want to validate that any existing data in your application doesn’t contain unexpected newlines.
  • validate_ipv4_address(), validate_slug(), and URLValidator are also affected, however, as of Django 1.6 the GenericIPAddresseField, IPAddressField, SlugField, and URLField form fields which use these validators all strip the input, so the possibility of newlines entering your data only exists if you are using these validators outside of the form fields.
  • The undocumented, internally unused validate_integer() function is now stricter as it validates using a regular expression instead of simply casting the value using int() and checking if an exception was raised.
  • Denial-of-service possibility in URL validation:
  • URLValidator included a regular expression that was extremely slow to evaluate against certain invalid inputs. This regular expression has been simplified and optimized.
  • Bug fixes:
  • Fixed BaseRangeField.prepare_value() to use each base_field’s prepare_value() method (#24841).
  • Fixed crash during makemigrations if a migrations module either is missing __init__.py or is a file (#24848).
  • Fixed QuerySet.exists() returning incorrect results after annotation with Count() (#24835).
  • Corrected HStoreField.has_changed() (#24844).
  • Reverted an optimization to the CSRF template context processor which caused a regression (#24836).
  • Fixed a regression which caused template context processors to overwrite variables set on a RequestContext after it’s created (#24847).
  • Prevented the loss of null/not null column properties during field renaming of MySQL databases (#24817).
  • Fixed a crash when using a reverse one-to-one relation in ModelAdmin.list_display (#24851).
  • Fixed quoting of SQL when renaming a field to AutoField in PostgreSQL (#24892).
  • Fixed lack of unique constraint when changing a field from primary_key=True to unique=True (#24893).
  • Fixed queryset pickling when using prefetch_related() after deleting objects (#24831).
  • Allowed using choices longer than 1 day with DurationField (#24897).
  • Fixed a crash when loading squashed migrations from two apps with a dependency between them, where the dependent app’s replaced migrations are partially applied (#24895).
  • Fixed recording of applied status for squashed (replacement) migrations (#24628).
  • Fixed queryset annotations when using Case expressions with exclude() (#24833).
  • Corrected join promotion for multiple Case expressions. Annotating a query with multiple Case expressions could unexpectedly filter out results (#24924).
  • Fixed usage of transforms in subqueries (#24744).
  • Fixed SimpleTestCase.assertRaisesMessage() on Python 2.7.10 (#24903).
  • Provided better backwards compatibility for the verbosity argument in optparse management commands by casting it to an integer (#24769).
  • Fixed prefetch_related() on databases other than PostgreSQL for models using UUID primary keys (#24912).
  • Fixed removing unique_together constraints on MySQL (#24972).
  • Fixed crash when uploading images with MIME types that Pillow doesn’t detect, such as bitmap, in forms.ImageField (#24948).
  • Fixed a regression when deleting a model through the admin that has a GenericRelation with a related_query_name (#24940).
  • Reallowed non-ASCII values for ForeignKey.related_name on Python 3 by fixing the false positive system check (#25016).
  • Fixed inline forms that use a parent object that has a UUIDField primary key and a child object that has an AutoField primary key (#24958).
  • Fixed a regression in the unordered_list template filter on certain inputs (#25031).
  • Fixed a regression in URLValidator that invalidated Punycode TLDs (#25059).
  • Improved pyinotify runserver polling (#23882).

New in Django 1.8.2 (May 21, 2015)

  • Fixed session flushing in the cached_db backend:
  • A change to session.flush() in the cached_db session backend in Django 1.8 mistakenly sets the session key to an empty string rather than None. An empty string is treated as a valid session key and the session cookie is set accordingly. Any users with an empty string in their session cookie will use the same session store. session.flush() is called by django.contrib.auth.logout() and, more seriously, by django.contrib.auth.login() when a user switches accounts. If a user is logged in and logs in again to a different account (without logging out) the session is flushed to avoid reuse. After the session is flushed (and its session key becomes '') the account details are set on the session and the session is saved. Any users with an empty string in their session cookie will now be logged into that account.
  • Bug fixes:
  • Fixed check for template engine alias uniqueness (#24685).
  • Fixed crash when reusing the same Case instance in a query (#24752).
  • Corrected join promotion for Case expressions. For example, annotating a query with a Case expression could unexpectedly filter out results (#24766).
  • Fixed negated Q objects in expressions. Cases like Case(When(~Q(friends__age__lte=30))) tried to generate a subquery which resulted in a crash (#24705).
  • Fixed incorrect GROUP BY clause generation on MySQL when the query’s model has a self-referential foreign key (#24748).
  • Implemented ForeignKey.get_db_prep_value() so that ForeignKeys pointing to UUIDField and inheritance on models with UUIDField primary keys work correctly (#24698, #24712).
  • Fixed isnull lookup for HStoreField (#24751).
  • Fixed a MySQL crash when a migration removes a combined index (unique_together or index_together) containing a foreign key (#24757).
  • Fixed session cookie deletion when using SESSION_COOKIE_DOMAIN (#24799).
  • On PostgreSQL, when no access is granted for the postgres database, Django now falls back to the default database when it normally requires a “no database” connection (#24791).
  • Fixed display of contrib.admin’s ForeignKey widget when it’s used in a row with other fields (#24784).

New in Django 1.8.1 (May 6, 2015)

  • Bug fixes:
  • Added support for serializing timedelta objects in migrations (#24566).
  • Restored proper parsing of the testserver command’s positional arguments (fixture names) (#24571).
  • Prevented TypeError in translation functions check_for_language() and get_language_bidi() when translations are deactivated (#24569).
  • Fixed squashmigrations command when using SeparateDatabaseAndState (#24278).
  • Stripped microseconds from datetime values when using an older version of the MySQLdb DB API driver as it does not support fractional seconds (#24584).
  • Fixed a migration crash when altering ManyToManyFields (#24513).
  • Fixed a crash with QuerySet.update() on foreign keys to one-to-one fields (#24578).
  • Fixed a regression in the model detail view of admindocs when a model has a reverse foreign key relation (#24624).
  • Prevented arbitrary file inclusions in admindocs (#24625).
  • Fixed a crash with QuerySet.update() on foreign keys to instances with uuid primary keys (#24611).
  • Fixed database introspection with SQLite 3.8.9 (released April 8, 2015) (#24637).
  • Updated urlpatterns examples generated by startproject to remove usage of referencing views by dotted path in url() which is deprecated in Django 1.8 (#24635).
  • Fixed queries where an expression was referenced in order_by(), but wasn’t part of the select clause. An example query is qs.annotate(foo=F('field')).values('pk').order_by('foo')) (#24615).
  • Fixed a database table name quoting regression (#24605).
  • Prevented the loss of null/not null column properties during field alteration of MySQL databases (#24595).
  • Fixed JavaScript path of contrib.admin’s related field widget when using alternate static file storages (#24655).
  • Fixed a migration crash when adding new relations to models (#24573).
  • Fixed a migration crash when applying migrations with model managers on Python 3 that were generated on Python 2 (#24701).
  • Restored the ability to use iterators as queryset filter arguments (#24719).
  • Fixed a migration crash when renaming the target model of a many-to-many relation (#24725).
  • Removed flushing of the test database with --keepdb, which prevented apps with data migrations from using the option (#24729).
  • Fixed makemessages crash in some locales (#23271).
  • Fixed help text positioning of contrib.admin fields that use the ModelAdmin.filter_horizontal and filter_vertical options (#24676).
  • Fixed AttributeError: function ‘GDALAllRegister’ not found error when initializing contrib.gis on Windows.
  • Optimizations:
  • Changed ModelState to deepcopy fields instead of deconstructing and reconstructing (#24591). This speeds up the rendering of model states and reduces memory usage when running manage.py migrate.

New in Django 1.7.7 (Mar 19, 2015)

  • DENIAL-OF-SERVICE POSSIBILITY WITH STRIP_TAGS():
  • Last year strip_tags() was changed to work iteratively. The problem is that the size of the input it’s processing can increase on each iteration which results in an infinite loop in strip_tags(). This issue only affects versions of Python that haven’t received a bugfix in HTMLParser; namely Python < 2.7.7 and 3.3.5. Some operating system vendors have also backported the fix for the Python bug into their packages of earlier versions.
  • To remedy this issue, strip_tags() will now return the original input if it detects the length of the string it’s processing increases. Remember that absolutely NO guarantee is provided about the results of strip_tags() being HTML safe. So NEVER mark safe the result of a strip_tags() call without escaping it first, for example with escape().
  • MITIGATED POSSIBLE XSS ATTACK VIA USER-SUPPLIED REDIRECT URLS:
  • Django relies on user input in some cases (e.g. django.contrib.auth.views.login() and i18n) to redirect the user to an “on success” URL. The security checks for these redirects (namely django.utils.http.is_safe_url()) accepted URLs with leading control characters and so considered URLs like \x08javascript:... safe. This issue doesn’t affect Django currently, since we only put this URL into the Location response header and browsers seem to ignore JavaScript there. Browsers we tested also treat URLs prefixed with control characters such as //example.com as relative paths so redirection to an unsafe target isn’t a problem either.
  • However, if a developer relies on is_safe_url() to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack as some browsers such as Google Chrome ignore control characters at the start of a URL in an anchor href.
  • BUG FIXES:
  • Fixed renaming of classes in migrations where renaming a subclass would cause incorrect state to be recorded for objects that referenced the superclass (#24354).
  • Stopped writing migration files in dry run mode when merging migration conflicts. When makemigrations --merge is called with verbosity=3 the migration file is written to stdout (:ticket: 24427).

New in Django 1.7.6 (Mar 10, 2015)

  • Mitigated an XSS attack via properties in ModelAdmin.readonly_fields:
  • The ModelAdmin.readonly_fields attribute in the Django admin allows displaying model fields and model attributes. While the former were correctly escaped, the latter were not. Thus untrusted content could be injected into the admin, presenting an exploitation vector for XSS attacks.
  • In this vulnerability, every model attribute used in readonly_fields that is not an actual model field (e.g. a property) will fail to be escaped even if that attribute is not marked as safe. In this release, autoescaping is now correctly applied.
  • Bug fixes:
  • Fixed crash when coercing ManyRelatedManager to a string (#24352).
  • Fixed a bug that prevented migrations from adding a foreign key constraint when converting an existing field to a foreign key (#24447).

New in Django 1.7.5 (Mar 2, 2015)

  • Bug fixes:
  • Reverted a fix that prevented a migration crash when unapplying contrib.contenttypes’s or contrib.auth’s first migration (#24075) due to severe impact on the test performance (#24251) and problems in multi-database setups (#24298).
  • Fixed a regression that prevented custom fields inheriting from ManyToManyField from being recognized in migrations (#24236).
  • Fixed crash in contrib.sites migrations when a default database isn’t used (#24332).
  • Added the ability to set the isolation level on PostgreSQL with psycopg2 ≥ 2.4.2 (#24318). It was advertised as a new feature in Django 1.6 but it didn’t work in practice.
  • Formats for the Azerbaijani locale (az) have been added.

New in Django 1.7.4 (Mar 2, 2015)

  • Bug fixes:
  • Fixed a migration crash when unapplying contrib.contenttypes’s or contrib.auth’s first migration (#24075).
  • Made the migration’s RenameModel operation rename ManyToManyField tables (#24135).
  • Fixed a migration crash on MySQL when migrating from a OneToOneField to a ForeignKey (#24163).
  • Prevented the static.serve view from producing ResourceWarnings in certain circumstances (security fix regression, #24193).
  • Fixed schema check for ManyToManyField to look for internal type instead of checking class instance, so you can write custom m2m-like fields with the same behavior. (#24104).

New in Django 1.7.3 (Jan 15, 2015)

  • WSGI HEADER SPOOFING VIA UNDERSCORE/DASH CONFLATION:
  • When HTTP headers are placed into the WSGI environ, they are normalized by converting to uppercase, converting all dashes to underscores, and prepending HTTP_. For instance, a header X-Auth-User would become HTTP_X_AUTH_USER in the WSGI environ (and thus also in Django’s request.META dictionary).
  • Unfortunately, this means that the WSGI environ cannot distinguish between headers containing dashes and headers containing underscores: X-Auth-User and X-Auth_User both become HTTP_X_AUTH_USER. This means that if a header is used in a security-sensitive way (for instance, passing authentication information along from a front-end proxy), even if the proxy carefully strips any incoming value for X-Auth-User, an attacker may be able to provide an X-Auth_User header (with underscore) and bypass this protection.
  • In order to prevent such attacks, both Nginx and Apache 2.4+ strip all headers containing underscores from incoming requests by default. Django’s built-in development server now does the same. Django’s development server is not recommended for production use, but matching the behavior of common production servers reduces the surface area for behavior changes during deployment.
  • MITIGATED POSSIBLE XSS ATTACK VIA USER-SUPPLIED REDIRECT URLS:
  • Django relies on user input in some cases (e.g. django.contrib.auth.views.login() and i18n) to redirect the user to an “on success” URL. The security checks for these redirects (namely django.util.http.is_safe_url()) didn’t strip leading whitespace on the tested URL and as such considered URLs like \njavascript:... safe. If a developer relied on is_safe_url() to provide safe redirect targets and put such a URL into a link, they could suffer from a XSS attack. This bug doesn’t affect Django currently, since we only put this URL into the Location response header and browsers seem to ignore JavaScript there.
  • DENIAL-OF-SERVICE ATTACK AGAINST DJANGO.VIEWS.STATIC.SERVE:
  • In older versions of Django, the django.views.static.serve() view read the files it served one line at a time. Therefore, a big file with no newlines would result in memory usage equal to the size of that file. An attacker could exploit this and launch a denial-of-service attack by simultaneously requesting many large files. This view now reads the file in chunks to prevent large memory usage.
  • Note, however, that this view has always carried a warning that it is not hardened for production use and should be used only as a development aid. Now may be a good time to audit your project and serve your files in production using a real front-end web server if you are not doing so.
  • DATABASE DENIAL-OF-SERVICE WITH MODELMULTIPLECHOICEFIELD:
  • Given a form that uses ModelMultipleChoiceField and show_hidden_initial=True (not a documented API), it was possible for a user to cause an unreasonable number of SQL queries by submitting duplicate values for the field’s data. The validation logic in ModelMultipleChoiceField now deduplicates submitted values to address this issue.
  • BUG FIXES:
  • The default iteration count for the PBKDF2 password hasher has been increased by 25%. This part of the normal major release process was inadvertently omitted in 1.7. This backwards compatible change will not affect users who have subclassed django.contrib.auth.hashers.PBKDF2PasswordHasher to change the default value.
  • Fixed a crash in the CSRF middleware when handling non-ASCII referer header (#23815).
  • Fixed a crash in the django.contrib.auth.redirect_to_login view when passing a reverse_lazy() result on Python 3 (#24097).
  • Added correct formats for Greek (el) (#23967).
  • Fixed a migration crash when unapplying a migration where multiple operations interact with the same model (#24110).

New in Django 1.7.2 (Jan 3, 2015)

  • Bug fixes:
  • Fixed migration’s renaming of auto-created many-to-many tables when changing Meta.db_table (#23630).
  • Fixed a migration crash when adding an explicit id field to a model on SQLite (#23702).
  • Added a warning for duplicate models when a module is reloaded. Previously a RuntimeError was raised every time two models clashed in the app registry. (#23621).
  • Prevented flush from loading initial data for migrated apps (#23699).
  • Fixed a makemessages regression in 1.7.1 when STATIC_ROOT has the default None value (#23717).
  • Added GeoDjango compatibility with mysqlclient database driver.
  • Fixed MySQL 5.6+ crash with GeometryFields in migrations (#23719).
  • Fixed a migration crash when removing a field that is referenced in AlterIndexTogether or AlterUniqueTogether (#23614).
  • Updated the first day of the week in the Ukrainian locale to Monday.
  • Added support for transactional spatial metadata initialization on SpatiaLite 4.1+ (#23152).
  • Fixed a migration crash that prevented changing a nullable field with a default to non-nullable with the same default (#23738).
  • Fixed a migration crash when adding GeometryFields with blank=True on PostGIS (#23731).
  • Allowed usage of DateTimeField() as Transform.output_field (#23420).
  • Fixed a migration serializing bug involving float("nan") and float("inf") (#23770).
  • Fixed a regression where custom form fields having a queryset attribute but no limit_choices_to could not be used in a ModelForm (#23795).
  • Fixed a custom field type validation error with MySQL backend when db_type returned None (#23761).
  • Fixed a migration crash when a field is renamed that is part of an index_together (#23859).
  • Fixed squashmigrations to respect the --no-optimize parameter (#23799).
  • Made RenameModel reversible (#22248)
  • Avoided unnecessary rollbacks of migrations from other apps when migrating backwards (#23410).
  • Fixed a rare query error when using deeply nested subqueries (#23605).
  • Fixed a crash in migrations when deleting a field that is part of a index/unique_together constraint (#23794).
  • Fixed django.core.files.File.__repr__() when the file’s name contains Unicode characters (#23888).
  • Added missing context to the admin’s delete_selected view that prevented custom site header, etc. from appearing (#23898).
  • Fixed a regression with dynamically generated inlines and allowed field references in the admin (#23754).
  • Fixed an infinite loop bug for certain cyclic migration dependencies, and made the error message for cyclic dependencies much more helpful.
  • Added missing index_together handling for SQLite (#23880).
  • Fixed a crash when RunSQL SQL content was collected by the schema editor, typically when using sqlmigrate (#23909).
  • Fixed a regression in contrib.admin add/change views which caused some ModelAdmin methods to receive the incorrect obj value (#23934).
  • Fixed runserver crash when socket error message contained Unicode characters (#23946).
  • Fixed serialization of type when adding a deconstruct() method (#23950).
  • Prevented the SessionAuthenticationMiddleware from setting a "Vary: Cookie" header on all responses (#23939).
  • Fixed a crash when adding blank=True to TextField() on MySQL (#23920).
  • Fixed index creation by the migration infrastructure, particularly when dealing with PostgreSQL specific {text|varchar}_pattern_ops indexes (#23954).
  • Fixed bug in makemigrations that created broken migration files when dealing with multiple table inheritance and inheriting from more than one model (#23956).
  • Fixed a crash when a MultiValueField has invalid data (#23674).
  • Fixed a crash in the admin when using “Save as new” and also deleting a related inline (#23857).
  • Always converted related_name to text (unicode), since that is required on Python 3 for interpolation. Removed conversion of related_name to text in migration deconstruction (#23455 and #23982).
  • Enlarged the sizes of tablespaces which are created by default for testing on Oracle (the main tablespace was increased from 200M to 300M and the temporary tablespace from 100M to 150M). This was required to accommodate growth in Django’s own test suite (#23969).
  • Fixed timesince filter translations in Korean (#23989).
  • Fixed the SQLite SchemaEditor to properly add defaults in the absence of a user specified default. For example, a CharField with blank=True didn’t set existing rows to an empty string which resulted in a crash when adding the NOT NULL constraint (#23987).
  • makemigrations no longer prompts for a default value when adding TextField() or CharField() without a default (#23405).
  • Fixed a migration crash when adding order_with_respect_to to a table with existing rows (#23983).
  • Restored the pre_migrate signal if all apps have migrations (#23975).
  • Made admin system checks run for custom AdminSites (#23497).
  • Ensured the app registry is fully populated when unpickling models. When an external script (like a queueing infrastructure) reloads pickled models, it could crash with an AppRegistryNotReady exception (#24007).
  • Added quoting to field indexes in the SQL generated by migrations to prevent a crash when the index name requires it (##24015).
  • Added datetime.time support to migrations questioner (#23998).
  • Fixed admindocs crash on apps installed as eggs (#23525).
  • Changed migrations autodetector to generate an AlterModelOptions operation instead of DeleteModel and CreateModel operations when changing Meta.managed. This prevents data loss when changing managed from False to True and vice versa (#24037).
  • Enabled the sqlsequencereset command on apps with migrations (#24054).
  • Added tablespace SQL to apps with migrations (#24051).
  • Corrected contrib.sites default site creation in a multiple database setup (#24000).
  • Restored support for objects that aren’t str or bytes in mark_for_escaping() on Python 3.
  • Supported strings escaped by third-party libraries with the __html__ convention in the template engine (#23831).
  • Prevented extraneous DROP DEFAULT SQL in migrations (#23581).
  • Restored the ability to use more than five levels of subqueries (#23758).
  • Fixed crash when ValidationError is initialized with a ValidationError that is initialized with a dictionary (#24008).
  • Prevented a crash on apps without migrations when running migrate --list (#23366).

New in Django 1.7.1 (Nov 25, 2014)

  • Bug fixes:
  • Allowed related many-to-many fields to be referenced in the admin (#23604).
  • Added a more helpful error message if you try to migrate an app without first creating the contenttypes table (#22411).
  • Modified migrations dependency algorithm to avoid possible infinite recursion.
  • Fixed a UnicodeDecodeError when the flush error message contained Unicode characters (#22882).
  • Reinstated missing CHECK SQL clauses which were omitted on some backends when not using migrations (#23416).
  • Fixed serialization of type objects in migrations (#22951).
  • Allowed inline and hidden references to admin fields (#23431).
  • The @deconstructible decorator now fails with a ValueError if the decorated object cannot automatically be imported (#23418).
  • Fixed a typo in an inlineformset_factory() error message that caused a crash (#23451).
  • Restored the ability to use ABSOLUTE_URL_OVERRIDES with the 'auth.User' model (#11775). As a side effect, the setting now adds a get_absolute_url() method to any model that appears in ABSOLUTE_URL_OVERRIDES but doesn’t define get_absolute_url().
  • Avoided masking some ImportError exceptions during application loading (#22920).
  • Empty index_together or unique_together model options no longer results in infinite migrations (#23452).
  • Fixed crash in contrib.sitemaps if lastmod returned a date rather than a datetime (#23403).
  • Allowed migrations to work with app_labels that have the same last part (e.g. django.contrib.auth and vendor.auth) (#23483).
  • Restored the ability to deepcopy F objects (#23492).
  • Formats for Welsh (cy) and several Chinese locales (zh_CN, zh_Hans, zh_Hant and zh_TW) have been added. Formats for Macedonian have been fixed (trailing dot removed, #23532).
  • Added quoting of constraint names in the SQL generated by migrations to prevent crash with uppercase characters in the name (#23065).
  • Fixed renaming of models with a self-referential many-to-many field (ManyToManyField('self')) (#23503).
  • Added the get_extra(), get_max_num(), and get_min_num() hooks to GenericInlineModelAdmin (#23539).
  • Made migrations.RunSQL no longer require percent sign escaping. This is now consistent with cursor.execute() (#23426).
  • Made the SERIALIZE entry in the TEST dictionary usable (#23421).
  • Fixed bug in migrations that prevented foreign key constraints to unmanaged models with a custom primary key (#23415).
  • Added SchemaEditor for MySQL GIS backend so that spatial indexes will be created for apps with migrations (#23538).
  • Added SchemaEditor for Oracle GIS backend so that spatial metadata and indexes will be created for apps with migrations (#23537).
  • Coerced the related_name model field option to unicode during migration generation to generate migrations that work with both Python 2 and 3 (#23455).
  • Fixed MigrationWriter to handle builtin types without imports (#23560).
  • Fixed deepcopy on ErrorList (#23594).
  • Made the admindocs view to browse view details check if the view specified in the URL exists in the URLconf. Previously it was possible to import arbitrary packages from the Python path. This was not considered a security issue because admindocs is only accessible to staff users (#23601).
  • Fixed UnicodeDecodeError crash in AdminEmailHandler with non-ASCII characters in the request (#23593).
  • Fixed missing get_or_create and update_or_create on related managers causing IntegrityError (#23611).
  • Made urlsafe_base64_decode() return the proper type (byte string) on Python 3 (#23333).
  • makemigrations can now serialize timezone-aware values (#23365).
  • Added a prompt to the migrations questioner when removing the null constraint from a field to prevent an IntegrityError on existing NULL rows (#23609).
  • Fixed generic relations in ModelAdmin.list_filter (#23616).
  • Restored RFC compliance for the SMTP backend on Python 3 (#23063).
  • Fixed a crash while parsing cookies containing invalid content (#23638).
  • The system check framework now raises error models.E020 when the class method Model.check() is unreachable (#23615).
  • Made the Oracle test database creation drop the test user in the event of an unclean exit of a previous test run (#23649).
  • Fixed makemigrations to detect changes to Meta.db_table (#23629).
  • Fixed a regression when feeding the Django test client with an empty data string (#21740).
  • Fixed a regression in makemessages where static files were unexpectedly ignored (#23583).

New in Django 1.7 (Sep 4, 2014)

  • A new built-in database migration system. Notes on upgrading from South (a popular third-party application providing migration functionality) are also available.
  • A refactored concept of Django applications. Django applications are no longer tied to the existence of a models files, and can now specify both configuration data and code to be executed as Django starts up.
  • Improvements to the model Field API to support migrations and, in the future, to enable easy addition of composite-key support to Django's ORM.
  • Improvements for custom Manager and QuerySet classes, allowing reverse relationship traversal to specify the Manager to use, and creation of a Manager from a custom QuerySet class.
  • A extensible system check framework which can assist developers in detecting and diagnosing errors.

New in Django 1.6.5 (May 16, 2014)

  • Issue: Caches may incorrectly be allowed to store and serve private data:
  • In certain situations, Django may allow caches to store private data related to a particular session and then serve that data to requests with a different session, or no session at all. This can lead to information disclosure and can be a vector for cache poisoning.
  • When using Django sessions, Django will set a Vary: Cookie header to ensure caches do not serve cached data to requests from other sessions. However, older versions of Internet Explorer (most likely only Internet Explorer 6, and Internet Explorer 7 if run on Windows XP or Windows Server 2003) are unable to handle the Vary header in combination with many content types. Therefore, Django would remove the header if the request was made by Internet Explorer.
  • To remedy this, the special behavior for these older Internet Explorer versions has been removed, and the Vary header is no longer stripped from the response. In addition, modifications to the Cache-Control header for all Internet Explorer requests with a Content-Disposition header have also been removed as they were found to have similar issues.
  • Issue: Malformed redirect URLs from user input not correctly validated:
  • The validation for redirects did not correctly validate some malformed URLs, which are accepted by some browsers. This allows a user to be redirected to an unsafe URL unexpectedly.
  • Django relies on user input in some cases (e.g. django.contrib.auth.views.login(), django.contrib.comments, and i18n) to redirect the user to an “on success” URL. The security checks for these redirects (namely django.util.http.is_safe_url()) did not correctly validate some malformed URLs, such as http:\\\djangoproject.com, which are accepted by some browsers with more liberal URL parsing.
  • To remedy this, the validation in is_safe_url() has been tightened to be able to handle and correctly validate these malformed URLs.
  • Bug fixes:
  • Made the year_lookup_bounds_for_datetime_field Oracle backend method Python 3 compatible (#22551).
  • Fixed pgettext_lazy crash when receiving bytestring content on Python 2 (#22565).
  • Fixed the SQL generated when filtering by a negated Q object that contains a F object. (#22429).
  • Avoided overwriting data fetched by select_related() in certain cases which could cause minor performance regressions (#22508).

New in Django 1.6.4 (Apr 29, 2014)

  • Bug fixes:
  • Added backwards compatibility support for the django.contrib.messages cookie format of Django 1.4 and earlier to facilitate upgrading to 1.6 from 1.4 (#22426).
  • Restored the ability to reverse() views created using functools.partial() (#22486).
  • Fixed the object_id of the LogEntry that’s created after a user password change in the admin (#22515).

New in Django 1.6.3 (Apr 24, 2014)

  • Unexpected code execution using reverse():
  • Django’s URL handling is based on a mapping of regex patterns (representing the URLs) to callable views, and Django’s own processing consists of matching a requested URL against those patterns to determine the appropriate view to invoke.
  • Caching of anonymous pages could reveal CSRF token:
  • Django includes both a caching framework and a system for preventing cross-site request forgery (CSRF) attacks. The CSRF-protection system is based on a random nonce sent to the client in a cookie which must be sent by the client on future requests and, in forms, a hidden value which must be submitted back with the form.
  • MySQL typecasting:
  • The MySQL database is known to “typecast” on certain queries; for example, when querying a table which contains string values, but using a query which filters based on an integer value, MySQL will first silently coerce the strings to integers and return a result based on that.
  • Other bug fixes and changes:
  • Content retrieved from the GeoIP library is now properly decoded from its default iso-8859-1 encoding (#21996).
  • Fixed AttributeError when using bulk_create() with ForeignObject (#21566).
  • Fixed crash of QuerySets that use F() + timedelta() when their query was compiled more once (#21643).
  • Prevented custom widget class attribute of IntegerField subclasses from being overwritten by the code in their __init__ method (#22245).
  • Improved strip_tags() accuracy (but it still cannot guarantee an HTML-safe result, as stated in the documentation).
  • Fixed a regression in the django.contrib.gis SQL compiler for non-concrete fields (#22250).
  • Fixed ModelAdmin.preserve_filters when running a site with a URL prefix (#21795).
  • Fixed a crash in the find_command management utility when the PATH environment variable wasn’t set (#22256).
  • Fixed changepassword on Windows (#22364).
  • Avoided shadowing deadlock exceptions on MySQL (#22291).
  • Wrapped database exceptions in _set_autocommit (#22321).
  • Fixed atomicity when closing a database connection or when the database server disconnects (#21239 and #21202)
  • Fixed regression in prefetch_related that caused the related objects query to include an unnecessary join (#21760).
  • Additionally, Django’s vendored version of six, django.utils.six has been upgraded to the latest release (1.6.1).

New in Django 1.7 Beta 2 (Mar 21, 2014)

  • Highlights include a schema-migration framework, a new validation tool to help identify and fix common errors, a complete refactoring of how Django identifies and loads applications, and support for custom database lookups.

New in Django 1.6.2 (Feb 7, 2014)

  • Prevented the base geometry object of a prepared geometry to be garbage collected, which could lead to crash Django (#21662).
  • Fixed a crash when executing the changepassword command when the user object representation contained non-ASCII characters (#21627).
  • The collectstatic command will raise an error rather than default to using the current working directory if STATIC_ROOT is not set. Combined with the --clear option, the previous behavior could wipe anything below the current working directory (#21581).
  • Fixed mail encoding on Python 3.3.3+ (#21093).
  • Fixed an issue where when settings.DATABASES['default']['AUTOCOMMIT'] = False, the connection wasn’t in autocommit mode but Django pretended it was.
  • Fixed a regression in multiple-table inheritance exclude() queries (#21787).
  • Added missing items to django.utils.timezone.__all__ (#21880).
  • Fixed a field misalignment issue with select_related() and model inheritance (#21413).
  • Fixed join promotion for negated AND conditions (#21748).
  • Oracle database introspection now works with boolean and float fields (#19884).
  • Fixed an issue where lazy objects weren’t actually marked as safe when passed through mark_safe() and could end up being double-escaped (#21882).

New in Django 1.6.1 (Dec 16, 2013)

  • Bug fixes:
  • Fixed BCryptSHA256PasswordHasher with py-bcrypt and Python 3 (#21398).
  • Fixed a regression that prevented a ForeignKey with a hidden reverse manager (related_name ending with ‘+’) from being used as a lookup for prefetch_related (#21410).
  • Fixed Queryset.datetimes raising AttributeError in some situations (#21432).
  • Fixed ModelBackend raising UnboundLocalError if get_user_model() raised an error (#21439).
  • Fixed a regression that prevented editable GenericRelation subclasses from working in ModelForms (#21428).
  • Added missing to_python method for ModelMultipleChoiceField which is required in Django 1.6 to properly detect changes from initial values (#21568).
  • Fixed django.contrib.humanize translations where the unicode sequence for the non-breaking space was returned verbatim (#21415).
  • Fixed loaddata error when fixture file name contained any dots not related to file extensions (#21457) or when fixture path was relative but located in a subdirectory (#21551).
  • Fixed display of inline instances in formsets when parent has 0 for primary key (#21472).
  • Fixed a regression where custom querysets for foreign keys were overwritten if ModelAdmin had ordering set (#21405).
  • Removed mention of a feature in the --locale/-l option of the makemessages and compilemessages commands that never worked as promised: Support of multiple locale names separated by commas. It’s still possible to specify multiple locales in one run by using the option multiple times (#21488, #17181).
  • Fixed a regression that unnecessarily triggered settings configuration when importing get_wsgi_application (#21486).
  • Fixed test client logout() method when using the cookie-based session backend (#21448).
  • Fixed a crash when a GeometryField uses a non-geometric widget (#21496).
  • Fixed password hash upgrade when changing the iteration count (#21535).
  • Fixed a bug in the debug view when the URLconf only contains one element (#21530).
  • Re-added missing search result count and reset link in changelist admin view (#21510).
  • The current language is no longer saved to the session by LocaleMiddleware on every response, but rather only after a logout (#21473).
  • Fixed a crash when executing runserver on non-English systems and when the formatted date in its output contained non-ASCII characters (#21358).
  • Fixed a crash in the debug view after an exception occurred on Python ≥ 3.3 (#21443).
  • Fixed a crash in ImageField on some platforms (Homebrew and RHEL6 reported) (#21355).
  • Fixed a regression when using generic relations in ModelAdmin.list_filter (#21431).

New in Django 1.6 (Nov 8, 2013)

  • Simplified default project and app templates:
  • The default templates used by startproject and startapp have been simplified and modernized. The admin is now enabled by default in new projects; the sites framework no longer is. clickjacking prevention is now on and the database defaults to SQLite.
  • If the default templates don’t suit your tastes, you can use custom project and app templates.
  • Improved transaction management:
  • Django’s transaction management was overhauled. Database-level autocommit is now turned on by default. This makes transaction handling more explicit and should improve performance. The existing APIs were deprecated, and new APIs were introduced, as described in the transaction management docs.
  • Please review carefully the list of known backwards-incompatibilities to determine if you need to make changes in your code.
  • Persistent database connections:
  • Django now supports reusing the same database connection for several requests. This avoids the overhead of re-establishing a connection at the beginning of each request. For backwards compatibility, this feature is disabled by default. See Persistent connections for details.
  • Discovery of tests in any test module:
  • Django 1.6 ships with a new test runner that allows more flexibility in the location of tests. The previous runner (django.test.simple.DjangoTestSuiteRunner) found tests only in the models.py and tests.py modules of a Python package in INSTALLED_APPS.
  • The new runner (django.test.runner.DiscoverRunner) uses the test discovery features built into unittest2 (the version of unittest in the Python 2.7+ standard library, and bundled with Django). With test discovery, tests can be located in any module whose name matches the pattern test*.py.
  • In addition, the test labels provided to ./manage.py test to nominate specific tests to run must now be full Python dotted paths (or directory paths), rather than applabel.TestCase.test_method_name pseudo-paths. This allows running tests located anywhere in your codebase, rather than only in INSTALLED_APPS. For more details, see Testing in Django.
  • This change is backwards-incompatible; see the backwards-incompatibility notes.
  • Time zone aware aggregation:
  • The support for time zones introduced in Django 1.4 didn’t work well with QuerySet.dates(): aggregation was always performed in UTC. This limitation was lifted in Django 1.6. Use QuerySet.datetimes() to perform time zone aware aggregation on a DateTimeField.
  • Support for savepoints in SQLite:
  • Django 1.6 adds support for savepoints in SQLite, with some limitations.
  • BinaryField model field:
  • A new django.db.models.BinaryField model field allows storage of raw binary data in the database.
  • GeoDjango form widgets:
  • GeoDjango now provides form fields and widgets for its geo-specialized fields. They are OpenLayers-based by default, but they can be customized to use any other JS framework.
  • Check management command added for verifying compatibility
  • A check management command was added, enabling you to verify if your current configuration (currently oriented at settings) is compatible with the current version of Django.
  • Model.save() algorithm changed:
  • The Model.save() method now tries to directly UPDATE the database if the instance has a primary key value. Previously SELECT was performed to determine if UPDATE or INSERT were needed. The new algorithm needs only one query for updating an existing row while the old algorithm needed two. See Model.save() for more details.
  • In some rare cases the database doesn’t report that a matching row was found when doing an UPDATE. An example is the PostgreSQL ON UPDATE trigger which returns NULL. In such cases it is possible to set django.db.models.Options.select_on_save flag to force saving to use the old algorithm.
  • Minor features:
  • Authentication backends can raise PermissionDenied to immediately fail the authentication chain.
  • The HttpOnly flag can be set on the CSRF cookie with CSRF_COOKIE_HTTPONLY.
  • The assertQuerysetEqual() now checks for undefined order and raises ValueError if undefined order is spotted. The order is seen as undefined if the given QuerySet isn’t ordered and there are more than one ordered values to compare against.
  • Added earliest() for symmetry with latest().
  • In addition to year, month and day, the ORM now supports hour, minute and second lookups.
  • Django now wraps all PEP-249 exceptions.
  • The default widgets for EmailField, URLField, IntegerField, FloatField and DecimalField use the new type attributes available in HTML5 (type='email', type='url', type='number'). Note that due to erratic support of the number input type with localized numbers in current browsers, Django only uses it when numeric fields are not localized.
  • The number argument for lazy plural translations can be provided at translation time rather than at definition time.
  • For custom management commands: Verification of the presence of valid settings in commands that ask for it by using the can_import_settings internal option is now performed independently from handling of the locale that should be active during the execution of the command. The latter can now be influenced by the new leave_locale_alone internal option. See Management commands and locales for more details.
  • The success_url of DeletionMixin is now interpolated with its object’s __dict__.
  • HttpResponseRedirect and HttpResponsePermanentRedirect now provide an url attribute (equivalent to the URL the response will redirect to).
  • The MemcachedCache cache backend now uses the latest pickle protocol available.
  • Added SuccessMessageMixin which provides a success_message attribute for FormView based classes.
  • Added the django.db.models.ForeignKey.db_constraint and django.db.models.ManyToManyField.db_constraint options.
  • The jQuery library embedded in the admin has been upgraded to version 1.9.1.
  • Syndication feeds (django.contrib.syndication) can now pass extra context through to feed templates using a new Feed.get_context_data() callback.
  • The admin list columns have a column- class in the HTML so the columns header can be styled with CSS, e.g. to set a column width.
  • The isolation level can be customized under PostgreSQL.
  • The blocktrans template tag now respects TEMPLATE_STRING_IF_INVALID for variables not present in the context, just like other template constructs.
  • SimpleLazyObjects will now present more helpful representations in shell debugging situations.
  • Generic GeometryField is now editable with the OpenLayers widget in the admin.
  • The documentation contains a deployment checklist.
  • The diffsettings command gained a --all option.
  • django.forms.fields.Field.__init__ now calls super(), allowing field mixins to implement __init__() methods that will reliably be called.
  • The validate_max parameter was added to BaseFormSet and formset_factory(), and ModelForm and inline versions of the same. The behavior of validation for formsets with max_num was clarified. The previously undocumented behavior that hardened formsets against memory exhaustion attacks was documented, and the undocumented limit of the higher of 1000 or max_num forms was changed so it is always 1000 more than max_num.
  • Added BCryptSHA256PasswordHasher to resolve the password truncation issue with bcrypt.
  • Pillow is now the preferred image manipulation library to use with Django. PIL is pending deprecation (support to be removed in Django 1.8). To upgrade, you should first uninstall PIL, then install Pillow.
  • ModelForm accepts several new Meta options.
  • Fields included in the localized_fields list will be localized (by setting localize on the form field).
  • The labels, help_texts and error_messages options may be used to customize the default fields, see Overriding the default fields for details.
  • The choices argument to model fields now accepts an iterable of iterables instead of requiring an iterable of lists or tuples.
  • The reason phrase can be customized in HTTP responses using reason_phrase.
  • When giving the URL of the next page for logout(), password_reset(), password_reset_confirm(), and password_change(), you can now pass URL names and they will be resolved.
  • The dumpdata manage.py command now has a --pks option which will allow users to specify the primary keys of objects they want to dump. This option can only be used with one model.
  • Added QuerySet methods first() and last() which are convenience methods returning the first or last object matching the filters. Returns None if there are no objects matching.
  • View and RedirectView now support HTTP PATCH method.
  • GenericForeignKey now takes an optional for_concrete_model argument, which when set to False allows the field to reference proxy models. The default is True to retain the old behavior.
  • The LocaleMiddleware now stores the active language in session if it is not present there. This prevents loss of language settings after session flush, e.g. logout.
  • SuspiciousOperation has been differentiated into a number of subclasses, and each will log to a matching named logger under the django.security logging hierarchy. Along with this change, a handler400 mechanism and default view are used whenever a SuspiciousOperation reaches the WSGI handler to return an HttpResponseBadRequest.
  • The DoesNotExist exception now includes a message indicating the name of the attribute used for the lookup.
  • The get_or_create() method no longer requires at least one keyword argument.
  • The SimpleTestCase class includes a new assertion helper for testing formset errors: assertFormsetError().
  • The list of related fields added to a QuerySet by select_related() can be cleared using select_related(None).
  • The get_extra() and get_max_num() methods on InlineModelAdmin may be overridden to customize the extra and maximum number of inline forms.
  • Formsets now have a total_error_count() method.
  • ModelForm fields can now override error messages defined in model fields by using the error_messages argument of a Field’s constructor. To take advantage of this new feature with your custom fields, see the updated recommendation for raising a ValidationError.
  • ModelAdmin now preserves filters on the list view after creating, editing or deleting an object. It’s possible to restore the previous behavior of clearing filters by setting the preserve_filters attribute to False.
  • Added FormMixin.get_prefix (which returns FormMixin.prefix by default) to allow customizing the prefix of the form.
  • Raw queries (Manager.raw() or cursor.execute()) can now use the “pyformat” parameter style, where placeholders in the query are given as '%(name)s' and the parameters are passed as a dictionary rather than a list (except on SQLite). This has long been possible (but not officially supported) on MySQL and PostgreSQL, and is now also available on Oracle.
  • The default iteration count for the PBKDF2 password hasher has been increased by 20%. This backwards compatible change will not affect existing passwords or users who have subclassed django.contrib.auth.hashers.PBKDF2PasswordHasher to change the default value. Passwords will be upgraded to use the new iteration count as necessary.

New in Django 1.5.5 (Oct 25, 2013)

  • Fixes a couple security-related bugs and several other bugs in the 1.5 series.
  • Readdressed denial-of-service via password hashers:
  • Django 1.5.4 imposes a 4096-byte limit on passwords in order to mitigate a denial-of-service attack through submission of bogus but extremely large passwords. In Django 1.5.5, we’ve reverted this change and instead improved the speed of our PBKDF2 algorithm by not rehashing the key on every iteration.
  • Properly rotate CSRF token on login:
  • This behavior introduced as a security hardening measure in Django 1.5.2 did not work properly and is now fixed.
  • Bug fixes:
  • Fixed a data corruption bug with datetime_safe.datetime.combine (#21256).
  • Fixed a Python 3 incompatability in django.utils.text.unescape_entities() (#21185).
  • Fixed a couple data corruption issues with QuerySet edge cases under Oracle and MySQL (#21203, #21126).
  • Fixed crashes when using combinations of annotate(), select_related(), and only() (#16436).

New in Django 1.5.4 (Sep 16, 2013)

  • It addresses two security issues and one bug:
  • Denial-of-service via password hashers:
  • In previous versions of Django, no limit was imposed on the plaintext length of a password. This allowed a denial-of-service attack through submission of bogus but extremely large passwords, tying up server resources performing the (expensive, and increasingly expensive with the length of the password) calculation of the corresponding hash.
  • As of 1.5.4, Django’s authentication framework imposes a 4096-byte limit on passwords, and will fail authentication with any submitted password of greater length.
  • Corrected usage of sensitive_post_parameters() in django.contrib.auth’s admin:
  • The decoration of the add_view and user_change_password user admin views with sensitive_post_parameters() did not include method_decorator() (required since the views are methods) resulting in the decorator not being properly applied. This usage has been fixed and sensitive_post_parameters() will now throw an exception if it’s improperly used.
  • Bug fix:
  • Fixed a bug that prevented a QuerySet that uses prefetch_related() from being pickled and unpickled more than once (the second pickling attempt raised an exception) (#21102).

New in Django 1.5.3 (Sep 11, 2013)

  • It addresses one security issue and also contains an opt-in feature to enhance the security of django.contrib.sessions:
  • Directory traversal vulnerability in ssi template tag
  • Mitigating a remote-code execution vulnerability in django.contrib.sessions

New in Django 1.5.2 (Aug 14, 2013)

  • Mitigated possible XSS attack via user-supplied redirect URLs
  • Django relies on user input in some cases (e.g. django.contrib.auth.views.login(), django.contrib.comments, and i18n) to redirect the user to an “on success” URL. The security checks for these redirects (namely django.util.http.is_safe_url()) didn’t check if the scheme is http(s) and as such allowed javascript:... URLs to be entered. If a developer relied on is_safe_url() to provide safe redirect targets and put such a URL into a link, he could suffer from a XSS attack. This bug doesn’t affect Django currently, since we only put this URL into the Location response header and browsers seem to ignore JavaScript there.
  • XSS vulnerability in django.contrib.admin:
  • If a URLField is used in Django 1.5, it displays the current value of the field and a link to the target on the admin change page. The display routine of this widget was flawed and allowed for XSS.
  • Bug fixes:
  • Fixed a crash with prefetch_related() (#19607) as well as some pickle regressions with prefetch_related (#20157 and #20257).
  • Fixed a regression in django.contrib.gis in the Google Map output on Python 3 (#20773).
  • Made DjangoTestSuiteRunner.setup_databases properly handle aliases for the default database (#19940) and prevented teardown_databases from attempting to tear down aliases (#20681).
  • Fixed the django.core.cache.backends.memcached.MemcachedCache backend’s get_many() method on Python 3 (#20722).
  • Fixed django.contrib.humanize translation syntax errors. Affected languages: Mexican Spanish, Mongolian, Romanian, Turkish (#20695).
  • Added support for wheel packages (#19252).
  • The CSRF token now rotates when a user logs in.
  • Some Python 3 compatibility fixes including #20212 and #20025.
  • Fixed some rare cases where get() exceptions recursed infinitely (#20278).
  • makemessages no longer crashes with UnicodeDecodeError (#20354).
  • Fixed geojson detection with Spatialite.
  • assertContains() once again works with binary content (#20237).
  • Fixed ManyToManyField if it has a unicode name parameter (#20207).
  • Ensured that the WSGI request’s path is correctly based on the SCRIPT_NAME environment variable or the FORCE_SCRIPT_NAME setting, regardless of whether or not either has a trailing slash (#20169).
  • Fixed an obscure bug with the override_settings() decorator. If you hit an AttributeError: 'Settings' object has no attribute '_original_allowed_hosts' exception, it’s probably fixed (#20636).

New in Django 1.6 Alpha 1 (May 27, 2013)

  • Simplified default project and app templates
  • Improved transaction management
  • Persistent database connections
  • Discovery of tests in any test module
  • Time zone aware aggregation
  • Support for savepoints in SQLite
  • BinaryField model field
  • GeoDjango form widgets
  • Minor features:
  • Authentication backends can raise PermissionDenied to immediately fail the authentication chain.
  • The HttpOnly flag can be set on the CSRF cookie with CSRF_COOKIE_HTTPONLY.
  • The assertQuerysetEqual() now checks for undefined order and raises ValueError if undefined order is spotted. The order is seen as undefined if the given QuerySet isn’t ordered and there are more than one ordered values to compare against.
  • Added earliest() for symmetry with latest().
  • In addition to year, month and day, the ORM now supports hour, minute and second lookups.
  • Django now wraps all PEP-249 exceptions.
  • The default widgets for EmailField, URLField, IntegerField, FloatField and DecimalField use the new type attributes available in HTML5 (type=’email’, type=’url’, type=’number’). Note that due to erratic support of the number input type with localized numbers in current browsers, Django only uses it when numeric fields are not localized.
  • The number argument for lazy plural translations can be provided at translation time rather than at definition time.
  • For custom management commands: Verification of the presence of valid settings in commands that ask for it by using the can_import_settings internal option is now performed independently from handling of the locale that should be active during the execution of the command. The latter can now be influenced by the new leave_locale_alone internal option. See Management commands and locales for more details.
  • The success_url of DeletionMixin is now interpolated with its object‘s __dict__.
  • HttpResponseRedirect and HttpResponsePermanentRedirect now provide an url attribute (equivalent to the URL the response will redirect to).
  • The MemcachedCache cache backend now uses the latest pickle protocol available.
  • Added SuccessMessageMixin which provides a success_message attribute for FormView based classes.
  • Added the django.db.models.ForeignKey.db_constraint and django.db.models.ManyToManyField.db_constraint options.
  • The jQuery library embedded in the admin has been upgraded to version 1.9.1.
  • Syndication feeds (django.contrib.syndication) can now pass extra context through to feed templates using a new Feed.get_context_data() callback.
  • The admin list columns have a column- class in the HTML so the columns header can be styled with CSS, e.g. to set a column width.
  • The isolation level can be customized under PostgreSQL.
  • The blocktrans template tag now respects TEMPLATE_STRING_IF_INVALID for variables not present in the context, just like other template constructs.
  • SimpleLazyObjects will now present more helpful representations in shell debugging situations.
  • Generic GeometryField is now editable with the OpenLayers widget in the admin.
  • The Model.save() will do UPDATE - if not updated - INSERT instead of SELECT - if not found INSERT else UPDATE in case the model’s primary key is set.
  • The documentation contains a deployment checklist.
  • The diffsettings comand gained a --all option.
  • django.forms.fields.Field.__init__ now calls super(), allowing field mixins to implement __init__() methods that will reliably be called.
  • The validate_max parameter was added to BaseFormSet and formset_factory(), and ModelForm and inline versions of the same. The behavior of validation for formsets with max_num was clarified. The previously undocumented behavior that hardened formsets against memory exhaustion attacks was documented, and the undocumented limit of the higher of 1000 or max_num forms was changed so it is always 1000 more than max_num.
  • Added BCryptSHA256PasswordHasher to resolve the password truncation issue with bcrypt.
  • Pillow is now the preferred image manipulation library to use with Django. PIL is pending deprecation (support to be removed in Django 1.8). To upgrade, you should first uninstall PIL, then install Pillow.
  • ModelForm accepts a new Meta option: localized_fields. Fields included in this list will be localized (by setting localize on the form field).
  • The choices argument to model fields now accepts an iterable of iterables instead of requiring an iterable of lists or tuples.
  • The reason phrase can be customized in HTTP responses.
  • When giving the URL of the next page for logout(), password_reset(), password_reset_confirm(), and password_change(), you can now pass URL names and they will be resolved.
  • The dumpdata manage.py command now has a –pks option which will allow users to specify the primary keys of objects they want to dump. This option can only be used with one model.
  • Added QuerySet methods first() and last() which are convenience methods returning the first or last object matching the filters. Returns None if there are no objects matching.
  • View and RedirectView now support HTTP PATCH method.
  • GenericForeignKey now takes an optional for_concrete_model argument, which when set to False allows the field to reference proxy models. The default is True to retain the old behavior.
  • The middleware LocaleMiddleware now stores active language in session if it is not present there. This prevents loss of language settings after session flush, e.g. logout.
  • SuspiciousOperation has been differentiated into a number of subclasses, and each will log to a matching named logger under the django.security logging hierarchy. Along with this change, a handler400 mechanism and default view are used whenever a SuspiciousOperation reaches the WSGI handler to return an HttpResponseBadRequest.
  • The DoesNotExist exception now includes a message indicating the name of the attribute used for the lookup.

New in Django 1.5.1 (May 27, 2013)

  • This is Django 1.5.1, a bugfix release for Django 1.5. It’s completely backwards compatible with Django 1.5, but includes a handful of fixes.
  • The biggest fix is for a memory leak introduced in Django 1.5. Under certain circumstances, repeated iteration over querysets could leak memory - sometimes quite a bit of it. If you’d like more information, the details are in our ticket tracker (and in a related issue in Python itself).
  • If you’ve noticed memory problems under Django 1.5, upgrading to 1.5.1 should fix those issues.
  • Django 1.5.1 also includes a couple smaller fixes:
  • Module-level warnings emitted during tests are no longer silently hidden (#18985).
  • Prevented filtering on password hashes in the user admin (#20078).

New in Django 1.4 RC 2 (Mar 15, 2012)

  • What's new:
  • Support for in-browser testing frameworks
  • SELECT FOR UPDATE support
  • Model.objects.bulk_create in the ORM
  • QuerySet.prefetch_related
  • Improved password hashing
  • HTML5 doctype
  • List filters in admin interface
  • Multiple sort in admin interface
  • New ModelAdmin methods
  • Admin inlines respect user permissions
  • Tools for cryptographic signing
  • Cookie-based session backend
  • New form wizard
  • reverse_lazy
  • Translating URL patterns
  • Contextual translation support for {% trans %} and {% blocktrans %}
  • Customizable SingleObjectMixin URLConf kwargs
  • Assignment template tags
  • *args and **kwargs support for template tag helper functions
  • No wrapping of exceptions in TEMPLATE_DEBUG mode
  • truncatechars template filter
  • static template tag
  • CachedStaticFilesStorage storage backend
  • Simple clickjacking protection
  • CSRF improvements
  • Error report filtering
  • Extended IPv6 support
  • Updated default project layout and manage.py
  • Improved WSGI support
  • Custom project and app templates
  • Support for time zones
  • HTML comparisons in tests
  • Two new date format strings
  • Minor features:
  • A more usable stacktrace in the technical 500 page. Frames in the stack trace that reference Django's framework code are dimmed out, while frames in application code are slightly emphasized. This change makes it easier to scan a stacktrace for issues in application code.Tablespace support in PostgreSQL.Customizable names for simple_tag().In the documentation, a helpful security overview page.The django.contrib.auth.models.check_password() function has been moved to the django.contrib.auth.hashers module. Importing it from the old location will still work, but you should update your imports.The collectstatic management command now has a --clear option to delete all files at the destination before copying or linking the static files.It's now possible to load fixtures containing forward references when using MySQL with the InnoDB database engine.A new 403 response handler has been added as 'django.views.defaults.permission_denied'. You can set your own handler by setting the value of django.conf.urls.handler403. See the documentation about the 403 (HTTP Forbidden) view for more information.The makemessages command uses a new and more accurate lexer, JsLex, for extracting translatable strings from JavaScript files.
  • The trans template tag now takes an optional as argument to be able to retrieve a translation string without displaying it but setting a template context variable instead.
  • The if template tag now supports {% elif %} clauses.
  • If your Django app is behind a proxy, you might find the new SECURE_PROXY_SSL_HEADER setting useful. It solves the problem of your proxy "eating" the fact that a request came in via HTTPS. But only use this setting if you know what you're doing.
  • A new, plain-text, version of the HTTP 500 status code internal error page served when DEBUG is True is now sent to the client when Django detects that the request has originated in JavaScript code. (is_ajax() is used for this.)
  • Like its HTML counterpart, it contains a collection of different pieces of information about the state of the application.
  • This should make it easier to read when debugging interaction with client-side JavaScript.
  • Added the --no-location option to the makemessages command.
  • Changed the locmem cache backend to use pickle.HIGHEST_PROTOCOL for better compatibility with the other cache backends.
  • Added support in the ORM for generating SELECT queries containing DISTINCT ON.
  • The distinct() QuerySet method now accepts an optional list of model field names. If specified, then the DISTINCT statement is limited to these fields. This is only supported in PostgreSQL.
  • For more details, see the documentation for distinct().
  • The admin login page will add a password reset link if you include a URL with the name 'admin_password_reset' in your urls.py, so plugging in the built-in password reset mechanism and making it available is now much easier. For details, see Adding a password-reset feature.
  • The MySQL database backend can now make use of the savepoint feature implemented by MySQL version 5.0.3 or newer with the InnoDB storage engine.
  • It's now possible to pass initial values to the model forms that are part of both model formsets and inline model formsets as returned from factory functions modelformset_factory and inlineformset_factory respectively just like with regular formsets. However, initial values only apply to extra forms, i.e. those which are not bound to an existing model instance.
  • The sitemaps framework can now handle HTTPS links using the new Sitemap.protocol class attribute.
  • A new django.test.SimpleTestCase subclass of unittest.TestCase that's lighter than django.test.TestCase and company. It can be useful in tests that don't need to hit a database

New in Django 1.3.1 (Mar 15, 2012)

  • Session manipulation.
  • Denial of service attack via URLField.
  • URLField redirection.
  • Advisory: Host header and CSRF.
  • Advisory: DEBUG pages and sensitive POST data.

New in Django 1.3 (Mar 23, 2011)

  • A framework for writing class-based views.
  • Built-in support for using Python’s logging facilities.
  • Contrib support for easy handling of static files.
  • Django’s testing framework now supports (and ships with a copy of) the unittest2 library.

New in Django 1.2.5 (Feb 9, 2011)

  • Backwards incompatible changes:
  • FileField no longer deletes files
  • Use of custom SQL to load initial data in tests
  • ModelAdmin.lookup_allowed signature changed

New in Django 1.1.2 (May 14, 2010)

  • Test runner exit status code:
  • The exit status code of the test runners (tests/runtests.py and python manage.py test) no longer represents the number of failed tests, since a failure of 256 or more tests resulted in a wrong exit status code. The exit status code for the test runner is now 0 for success (no failing tests) and 1 for any number of test failures. If needed, the number of test failures can be found at the end of the test runner’s output.
  • Cookie encoding:
  • To fix bugs with cookies in Internet Explorer, Safari, and possibly other browsers, our encoding of cookie values was changed so that the characters comma and semi-colon are treated as non-safe characters, and are therefore encoded as \054 and \073 respectively. This could produce backwards incompatibilities, especially if you are storing comma or semi-colon in cookies and have javascript code that parses and manipulates cookie values client-side.
  • One new feature:
  • Ordinarily, a point release would not include new features, but in the case of Django 1.1.2, we have made an exception to this rule. Django 1.2 (the next major release of Django) will contain a feature that will improve protection against Cross-Site Request Forgery (CSRF) attacks. This feature requires the use of a new csrf_token template tag in all forms that Django renders.
  • To make it easier to support both 1.1.X and 1.2.X versions of Django with the same templates, we have decided to introduce the csrf_token template tag to the 1.1.X branch. In the 1.1.X branch, csrf_token does nothing - it has no effect on templates or form processing. However, it means that the same template will work with Django 1.2.

New in Django 1.2 Beta 1 (Mar 9, 2010)

  • CsrfResponseMiddleware and CsrfMiddleware have been deprecated and will be removed completely in Django 1.4, in favor of a template tag that should be inserted into forms.
  • All contrib apps use a csrf_protect decorator to protect the view. This requires the use of the csrf_token template tag in the template. If you have used custom templates for contrib views, you MUST READ THE UPGRADE INSTRUCTIONS to fix those templates.
  • CsrfViewMiddleware is included in MIDDLEWARE_CLASSES by default. This turns on CSRF protection by default, so views that accept POST requests need to be written to work with the middleware. Instructions on how to do this are found in the CSRF docs.
  • All of the CSRF has moved from contrib to core (with backwards compatible imports in the old locations, which are deprecated).

New in Django 1.1 (Aug 11, 2009)

  • ORM improvements:
  • Two major enhancements have been added to Django's object-relational mapper (ORM): aggregate support, and query expressions.
  • Aggregate support:
  • It's now possible to run SQL aggregate queries (i.e. COUNT(), MAX(), MIN(), etc.) from within Django's ORM. You can choose to either return the results of the aggregate directly, or else annotate the objects in a QuerySet with the results of the aggregate query.
  • This feature is available as new QuerySet.aggregate()`() and QuerySet.annotate()`() methods, and is covered in detail in the ORM aggregation documentation.
  • Query expressions:
  • Queries can now refer to a another field on the query and can traverse relationships to refer to fields on related models. This is implemented in the new F object; for full details, including examples, consult the documentation for F expressions.
  • Model improvements:
  • "Unmanaged" models:
  • You can now control whether or not Django manages the life-cycle of the database tables for a model using the managed model option. This defaults to True, meaning that Django will create the appropriate database tables in syncdb and remove them as part of the reset command. That is, Django manages the database table's lifecycle.
  • If you set this to False, however, no database table creating or deletion will be automatically performed for this model. This is useful if the model represents an existing table or a database view that has been created by some other means.
  • Proxy models:
  • You can now create proxy models: subclasses of existing models that only add Python-level (rather than database-level) behavior and aren't represented by a new table. That is, the new model is a proxy for some underlying model, which stores all the real data.
  • All the details can be found in the proxy models documentation. This feature is similar on the surface to unmanaged models, so the documentation has an explanation of how proxy models differ from unmanaged models.
  • Deferred fields:
  • In some complex situations, your models might contain fields which could contain a lot of data (for example, large text fields), or require expensive processing to convert them to Python objects. If you know you don't need those particular fields, you can now tell Django not to retrieve them from the database.
  • You'll do this with the new queryset methods defer() and only().
  • Testing improvements:
  • A few notable improvements have been made to the testing framework.
  • Test performance improvements:
  • Tests written using Django's testing framework now run dramatically faster (as much as 10 times faster in many cases).
  • This was accomplished through the introduction of transaction-based tests: when using django.test.TestCase, your tests will now be run in a transaction which is rolled back when finished, instead of by flushing and re-populating the database. This results in an immense speedup for most types of unit tests. See the documentation for TestCase and TransactionTestCase for a full description, and some important notes on database support.
  • Test client improvements:
  • A couple of small -- but highly useful -- improvements have been made to the test client:
  • The test Client now can automatically follow redirects with the follow argument to Client.get() and Client.post(). This makes testing views that issue redirects simpler.
  • It's now easier to get at the template context in the response returned the test client: you'll simply access the context as request.context[key]. The old way, which treats request.context as a list of contexts, one for each rendered template in the inheritance chain, is still available if you need it.
  • New admin features:
  • Editable fields on the change list¶:
  • You can now make fields editable on the admin list views via the new list_editable admin option. These fields will show up as form widgets on the list pages, and can be edited and saved in bulk.
  • Admin "actions":
  • You can now define admin actions that can perform some action to a group of models in bulk. Users will be able to select objects on the change list page and then apply these bulk actions to all selected objects.
  • Django ships with one pre-defined admin action to delete a group of objects in one fell swoop.
  • Conditional view processing:
  • Django now has much better support for conditional view processing using the standard ETag and Last-Modified HTTP headers. This means you can now easily short-circuit view processing by testing less-expensive conditions. For many views this can lead to a serious improvement in speed and reduction in bandwidth.
  • URL namespaces:
  • Django 1.1 improves named URL patterns with the introduction of URL "namespaces."
  • In short, this feature allows the same group of URLs, from the same application, to be included in a Django URLConf multiple times, with varying (and potentially nested) named prefixes which will be used when performing reverse resolution. In other words, reusable applications like Django's admin interface may be registered multiple times without URL conflicts.
  • Other new features and changes introduced since Django 1.0 include:
  • The CSRF protection middleware has been split into two classes -- CsrfViewMiddleware checks incoming requests, and CsrfResponseMiddleware processes outgoing responses. The combined CsrfMiddleware class (which does both) remains for backwards-compatibility, but using the split classes is now recommended in order to allow fine-grained control of when and where the CSRF processing takes place.
  • reverse() and code which uses it (e.g., the {% url %} template tag) now works with URLs in Django's administrative site, provided that the admin URLs are set up via include(admin.site.urls) (sending admin requests to the admin.site.root view still works, but URLs in the admin will not be "reversible" when configured this way).
  • The include() function in Django URLconf modules can now accept sequences of URL patterns (generated by patterns()) in addition to module names.
  • Instances of Django forms (see the forms overview now have two additional methods, hidden_fields() and visible_fields(), which return the list of hidden -- i.e., -- and visible fields on the form, respectively.
  • The redirect_to generic view (see the generic views documentation) now accepts an additional keyword argument permanent. If permanent is True, the view will emit an HTTP permanent redirect (status code 301). If False, the view will emit an HTTP temporary redirect (status code 302).
  • A new database lookup type -- week_day -- has been added for DateField and DateTimeField. This type of lookup accepts a number between 1 (Sunday) and 7 (Saturday), and returns objects where the field value matches that day of the week. See the full list of lookup types for details.
  • The {% for %} tag in Django's template language now accepts an optional {% empty %} clause, to be displayed when {% for %} is asked to loop over an empty sequence. See the list of built-in template tags for examples of this.
  • The dumpdata management command now accepts individual model names as arguments, allowing you to export the data just from particular models.
  • There's a new safeseq template filter which works just like safe for lists, marking each item in the list as safe.
  • Cache backends now support incr() and decr() commands to increment and decrement the value of a cache key. On cache backends that support atomic increment/decrement -- most notably, the memcached backend -- these operations will be atomic, and quite fast.
  • Django now can easily delegate authentication to the web server via a new authentication backend that supports the standard REMOTE_USER environment variable used for this purpose.
  • There's a new django.shortcuts.redirect() function that makes it easier to issue redirects given an object, a view name, or a URL.
  • The postgresql_psycopg2 backend now supports native PostgreSQL autocommit. This is an advanced, PostgreSQL-specific feature, that can make certain read-heavy applications a good deal faster.

New in Django 1.0.2 (Nov 19, 2008)

  • The primary reason behind this release is to remedy an issue in the recently-released Django 1.0.1; the packaging scripts used for Django 1.0.1 omitted some directories from the final release package, including one directory required by django.contrib.gis and part of Django’s unit-test suite.
  • Django 1.0.2 contains updated packaging scripts, and the release package contains the directories omitted from Django 1.0.1. As such, this release contains all of the fixes and improvements from Django 1.0.1; see the Django 1.0.1 release notes for details.
  • Updated Hebrew and Danish translations have been added.
  • The default __repr__ method of Django models has been made more robust in the face of bad Unicode data coming from the __unicode__ method; rather than raise an exception in such cases, repr() will now contain the string “[Bad Unicode data]” in place of the invalid Unicode.
  • A bug involving the interaction of Django’s SafeUnicode class and the MySQL adapter has been resolved; SafeUnicode instances (generated, for example, by template rendering) can now be assigned to model attributes and saved to MySQL without requiring an explicit intermediate cast to unicode.
  • A bug affecting filtering on a nullable DateField in SQLite has been resolved.
  • Several updates and improvements have been made to Django’s documentation.

New in Django 1.0.1 (Nov 15, 2008)

  • Several fixes in django.contrib.comments, pertaining to RSS feeds of comments, default ordering of comments and the XHTML and internationalization of the default templates for comments.
  • Multiple fixes for Django’s support of Oracle databases, including pagination support for GIS QuerySets, more efficient slicing of results and improved introspection of existing databases.
  • Several fixes for query support in the Django object-relational mapper, including repeated setting and resetting of ordering and fixes for working with INSERT-only queries.
  • Multiple fixes for inline forms in formsets.
  • Multiple fixes for unique and unique_together model constraints in automatically-generated forms.
  • Fixed support for custom callable upload_to declarations when handling file uploads through automatically-generated forms.
  • Fixed support for sorting an admin change list based on a callable attributes in list_display.
  • A fix to the application of autoescaping for literal strings passed to the join template filter. Previously, literal strings passed to join were automatically escaped, contrary to the documented behavior for autoescaping and literal strings. Literal strings passed to join are no longer automatically escaped, meaning you must now manually escape them; this is an incompatibility if you were relying on this bug, but not if you were relying on escaping behaving as documented.
  • Improved and expanded translation files for many of the languages Django supports by default.
  • And as always, a large number of improvements to Django’s documentation, including both corrections to existing documents and expanded and new documentation.