<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Django 1.2.4 release notes — Django 1.5.8 documentation</title> <link rel="stylesheet" href="../_static/default.css" type="text/css" /> <link rel="stylesheet" href="../_static/pygments.css" type="text/css" /> <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', VERSION: '1.5.8', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true }; </script> <script type="text/javascript" src="../_static/jquery.js"></script> <script type="text/javascript" src="../_static/underscore.js"></script> <script type="text/javascript" src="../_static/doctools.js"></script> <link rel="top" title="Django 1.5.8 documentation" href="../index.html" /> <link rel="up" title="Release notes" href="index.html" /> <link rel="next" title="Django 1.2.3 release notes" href="1.2.3.html" /> <link rel="prev" title="Django 1.2.5 release notes" href="1.2.5.html" /> <script type="text/javascript" src="../templatebuiltins.js"></script> <script type="text/javascript"> (function($) { if (!django_template_builtins) { // templatebuiltins.js missing, do nothing. return; } $(document).ready(function() { // Hyperlink Django template tags and filters var base = "../ref/templates/builtins.html"; if (base == "#") { // Special case for builtins.html itself base = ""; } // Tags are keywords, class '.k' $("div.highlight\\-html\\+django span.k").each(function(i, elem) { var tagname = $(elem).text(); if ($.inArray(tagname, django_template_builtins.ttags) != -1) { var fragment = tagname.replace(/_/, '-'); $(elem).html("<a href='" + base + "#" + fragment + "'>" + tagname + "</a>"); } }); // Filters are functions, class '.nf' $("div.highlight\\-html\\+django span.nf").each(function(i, elem) { var filtername = $(elem).text(); if ($.inArray(filtername, django_template_builtins.tfilters) != -1) { var fragment = filtername.replace(/_/, '-'); $(elem).html("<a href='" + base + "#" + fragment + "'>" + filtername + "</a>"); } }); }); })(jQuery); </script> </head> <body> <div class="document"> <div id="custom-doc" class="yui-t6"> <div id="hd"> <h1><a href="../index.html">Django 1.5.8 documentation</a></h1> <div id="global-nav"> <a title="Home page" href="../index.html">Home</a> | <a title="Table of contents" href="../contents.html">Table of contents</a> | <a title="Global index" href="../genindex.html">Index</a> | <a title="Module index" href="../py-modindex.html">Modules</a> </div> <div class="nav"> « <a href="1.2.5.html" title="Django 1.2.5 release notes">previous</a> | <a href="index.html" title="Release notes" accesskey="U">up</a> | <a href="1.2.3.html" title="Django 1.2.3 release notes">next</a> »</div> </div> <div id="bd"> <div id="yui-main"> <div class="yui-b"> <div class="yui-g" id="releases-1.2.4"> <div class="section" id="s-django-1-2-4-release-notes"> <span id="django-1-2-4-release-notes"></span><h1>Django 1.2.4 release notes<a class="headerlink" href="#django-1-2-4-release-notes" title="Permalink to this headline">¶</a></h1> <p>Welcome to Django 1.2.4!</p> <p>This is the fourth “bugfix” release in the Django 1.2 series, improving the stability and performance of the Django 1.2 codebase.</p> <p>With one exception, Django 1.2.4 maintains backwards compatibility with Django 1.2.3. It also contains a number of fixes and other improvements. Django 1.2.4 is a recommended upgrade for any development or deployment currently using or targeting Django 1.2.</p> <p>For full details on the new features, backwards incompatibilities, and deprecated features in the 1.2 branch, see the <a class="reference internal" href="1.2.html"><em>Django 1.2 release notes</em></a>.</p> <div class="section" id="s-backwards-incompatible-changes"> <span id="backwards-incompatible-changes"></span><h2>Backwards incompatible changes<a class="headerlink" href="#backwards-incompatible-changes" title="Permalink to this headline">¶</a></h2> <div class="section" id="s-restricted-filters-in-admin-interface"> <span id="restricted-filters-in-admin-interface"></span><h3>Restricted filters in admin interface<a class="headerlink" href="#restricted-filters-in-admin-interface" title="Permalink to this headline">¶</a></h3> <p>The Django administrative interface, django.contrib.admin, supports filtering of displayed lists of objects by fields on the corresponding models, including across database-level relationships. This is implemented by passing lookup arguments in the querystring portion of the URL, and options on the ModelAdmin class allow developers to specify particular fields or relationships which will generate automatic links for filtering.</p> <p>One historically-undocumented and -unofficially-supported feature has been the ability for a user with sufficient knowledge of a model’s structure and the format of these lookup arguments to invent useful new filters on the fly by manipulating the querystring.</p> <p>However, it has been demonstrated that this can be abused to gain access to information outside of an admin user’s permissions; for example, an attacker with access to the admin and sufficient knowledge of model structure and relations could construct query strings which – with repeated use of regular-expression lookups supported by the Django database API – expose sensitive information such as users’ password hashes.</p> <p>To remedy this, django.contrib.admin will now validate that querystring lookup arguments either specify only fields on the model being viewed, or cross relations which have been explicitly whitelisted by the application developer using the pre-existing mechanism mentioned above. This is backwards-incompatible for any users relying on the prior ability to insert arbitrary lookups.</p> </div> </div> <div class="section" id="s-one-new-feature"> <span id="one-new-feature"></span><h2>One new feature<a class="headerlink" href="#one-new-feature" title="Permalink to this headline">¶</a></h2> <p>Ordinarily, a point release would not include new features, but in the case of Django 1.2.4, we have made an exception to this rule.</p> <p>One of the bugs fixed in Django 1.2.4 involves a set of circumstances whereby a running a test suite on a multiple database configuration could cause the original source database (i.e., the actual production database) to be dropped, causing catastrophic loss of data. In order to provide a fix for this problem, it was necessary to introduce a new setting – <a class="reference internal" href="../ref/settings.html#std:setting-TEST_DEPENDENCIES"><tt class="xref std std-setting docutils literal"><span class="pre">TEST_DEPENDENCIES</span></tt></a> – that allows you to define any creation order dependencies in your database configuration.</p> <p>Most users – even users with multiple-database configurations – need not be concerned about the data loss bug, or the manual configuration of <a class="reference internal" href="../ref/settings.html#std:setting-TEST_DEPENDENCIES"><tt class="xref std std-setting docutils literal"><span class="pre">TEST_DEPENDENCIES</span></tt></a>. See the <a class="reference external" href="https://code.djangoproject.com/ticket/14415">original problem report</a> documentation on <a class="reference internal" href="../topics/testing/advanced.html#topics-testing-creation-dependencies"><em>controlling the creation order of test databases</em></a> for details.</p> </div> <div class="section" id="s-geodjango"> <span id="geodjango"></span><h2>GeoDjango<a class="headerlink" href="#geodjango" title="Permalink to this headline">¶</a></h2> <p>The function-based <a class="reference internal" href="../ref/settings.html#std:setting-TEST_RUNNER"><tt class="xref std std-setting docutils literal"><span class="pre">TEST_RUNNER</span></tt></a> previously used to execute the GeoDjango test suite, <tt class="docutils literal"><span class="pre">django.contrib.gis.tests.run_gis_tests</span></tt>, was finally deprecated in favor of a class-based test runner, <a class="reference internal" href="../ref/contrib/gis/testing.html#django.contrib.gis.tests.GeoDjangoTestSuiteRunner" title="django.contrib.gis.tests.GeoDjangoTestSuiteRunner"><tt class="xref py py-class docutils literal"><span class="pre">django.contrib.gis.tests.GeoDjangoTestSuiteRunner</span></tt></a>, added in this release.</p> <p>In addition, the GeoDjango test suite is now included when <a class="reference internal" href="../internals/contributing/writing-code/unit-tests.html#running-unit-tests"><em>running the Django test suite</em></a> with <tt class="docutils literal"><span class="pre">runtests.py</span></tt> and using <a class="reference internal" href="../ref/contrib/gis/db-api.html#spatial-backends"><em>spatial database backends</em></a>.</p> </div> </div> </div> </div> </div> <div class="yui-b" id="sidebar"> <div class="sphinxsidebar"> <div class="sphinxsidebarwrapper"> <h3><a href="../contents.html">Table Of Contents</a></h3> <ul> <li><a class="reference internal" href="#">Django 1.2.4 release notes</a><ul> <li><a class="reference internal" href="#backwards-incompatible-changes">Backwards incompatible changes</a><ul> <li><a class="reference internal" href="#restricted-filters-in-admin-interface">Restricted filters in admin interface</a></li> </ul> </li> <li><a class="reference internal" href="#one-new-feature">One new feature</a></li> <li><a class="reference internal" href="#geodjango">GeoDjango</a></li> </ul> </li> </ul> <h3>Browse</h3> <ul> <li>Prev: <a href="1.2.5.html">Django 1.2.5 release notes</a></li> <li>Next: <a href="1.2.3.html">Django 1.2.3 release notes</a></li> </ul> <h3>You are here:</h3> <ul> <li> <a href="../index.html">Django 1.5.8 documentation</a> <ul><li><a href="index.html">Release notes</a> <ul><li>Django 1.2.4 release notes</li></ul> </li></ul> </li> </ul> <h3>This Page</h3> <ul class="this-page-menu"> <li><a href="../_sources/releases/1.2.4.txt" rel="nofollow">Show Source</a></li> </ul> <div id="searchbox" style="display: none"> <h3>Quick search</h3> <form class="search" action="../search.html" method="get"> <input type="text" name="q" /> <input type="submit" value="Go" /> <input type="hidden" name="check_keywords" value="yes" /> <input type="hidden" name="area" value="default" /> </form> <p class="searchtip" style="font-size: 90%"> Enter search terms or a module, class or function name. </p> </div> <script type="text/javascript">$('#searchbox').show(0);</script> </div> </div> <h3>Last update:</h3> <p class="topless">May 15, 2014</p> </div> </div> <div id="ft"> <div class="nav"> « <a href="1.2.5.html" title="Django 1.2.5 release notes">previous</a> | <a href="index.html" title="Release notes" accesskey="U">up</a> | <a href="1.2.3.html" title="Django 1.2.3 release notes">next</a> »</div> </div> </div> <div class="clearer"></div> </div> </body> </html>