On Jenkins with Python 3.10:
Traceback (most recent call last):
File "[...]/python3.10/tests/composite_pk/test_filter.py", line 559, in setUp
self.enterContext(feature_patch)
AttributeError: 'CompositePKFilterTupleLookupFallbackTests' object has no attribute 'enterContext'
When native support for tuple lookups is missing in a DB backend, it can
be emulated with an EXISTS clause. This is controlled by the backend
feature flag "supports_tuple_lookups".
The mishandling of subquery right-hand side in `TupleIn` (added to
support `CompositePrimaryKey` in Refs #373) was likely missed because
the only core backend we test with the feature flag disabled
(Oracle < 23.4) supports it natively.
Thanks to Nandana Raol for the report, and to Sarah Boyce, Jacob Walls,
and Natalia Bidart for reviews.
Backport of 192bc7a7be from main.
Value(None, JSONField()) when used in When.condition incorrectly resolved with
for_save=True, resulting in the value being serialized as SQL NULL instead of
JSON null.
Regression in c1fa3fdd04.
Thanks to Thomas McKay for the report, and to David Sanders and Simon Charettes
for the review.
Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
Backport of 104cbfd44b from main.
When matching which entry in the `Accept` header should be used for
a given media type, the specificity matters. However once those are
resolved, only the quality matters when selecting preference.
Regression in c075508b4d.
Thank you to Anders Kaseorg for the report.
Backport of 12c1557060 from main.
The "q" key was removed while addressing ticket #36411. Despite
`MediaType.params` is undocumented and considered internal, it was used
in third-party projects (Zulip reported breakage), so this work restored
the `q` key in `params`.
Thanks Anders Kaseorg for the report.
Regression in c075508b4d.
Backport of cf5f36bf90 from main.
The for_save flag wasn't properly propagated when resolving expressions, which
prevented get_db_prep_save() from being called in some cases. This affected
fields like JSONField where None would be saved as JSON null instead of SQL NULL.
Regression in 00c690efbc.
Thanks to David Sanders and Simon Charette for reviews.
Co-authored-by: Adam Johnson <me@adamj.eu>
Backport of c1fa3fdd04 from main.
Migrated remaining response-related logging to use the `log_response()`
helper to avoid potential log injection, to ensure untrusted values like
request paths are safely escaped.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Backport of 9579517552 from main.
Suitably crafted requests containing a CRLF sequence in the request
path may have allowed log injection, potentially corrupting log files,
obscuring other attacks, misleading log post-processing tools, or
forging log entries.
To mitigate this, all positional formatting arguments passed to the
logger are now escaped using "unicode_escape" encoding.
Thanks to Seokchan Yoon (https://ch4n3.kr/) for the report.
Co-authored-by: Carlton Gibson <carlton@noumenal.es>
Co-authored-by: Jake Howard <git@theorangeone.net>
Backport of a07ebec559 from main.
HttpRequest.get_preferred_type() did not account for parameters in
Accept header media types (e.g., "text/vcard; version=3.0"). This caused
incorrect content negotiation when multiple types differed only by
parameters, reducing specificity as per RFC 7231 section 5.3.2
(https://datatracker.ietf.org/doc/html/rfc7231.html#section-5.3.2).
This fix updates get_preferred_type() to treat media types with
parameters as distinct, allowing more precise and standards-compliant
matching.
Thanks to magicfelix for the report, and to David Sanders and Sarah
Boyce for the reviews.
Backport of c075508b4d from main.
In the admin's filter_horizontal widget, optional action buttons like
"Choose all", "Remove all", etc. were changed from `<a>` to `<button>`
elements in #34619, but without specifying `type="button"`. As a result,
when pressing Enter while focused on a form input, these buttons could
be triggered and intercept form submission.
Explicitly set `type="button"` on these control buttons to prevent them
from acting as submit buttons.
Thanks Antoliny Lee for the quick triage and review.
Regression in 857b1048d5.
Backport of 90429625a8 from main.
Thanks to Baptiste Mispelon for the report and quick fix, and to Simon
Charette and Jacob Walls for the reviews.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Backport of 66f9eb0ff1 from main.
Previously, any first field of a composite primary key with type
`INTEGER` was incorrectly introspected as an `AutoField` due to SQLite
treating `INTEGER PRIMARY KEY` as an alias for the `ROWID`.
This change ensures that integer fields in composite PKs are not
mistaken for auto-incrementing fields.
Thanks Jacob Walls and Sarah Boyce for the reviews.
Backport of 07100db6f4 from main.
Now that Django properly supports creating models with composite primary
keys, the tests should use a `CompositePrimaryKey` field instead of a
feature flag to inline backend specific SQL for creating a composite PK.
Specifcially, the inspectdb's test_composite_primary_key was adjusted to
use schema editor instead of per-backend raw SQL.
Backport of 4c75858135 from main.
The issue was only manifesting itself when also filtering againt a related
model as that forces the usage of a subquery because SQLUpdateCompiler doesn't
support the UPDATE FROM syntax yet.
Regression in 65ad4ade74.
Refs #28900.
Thanks Gav O'Connor for the detailed report.
Backport of 8ef4e0bd42 from main.
Regression in aba0e541ca and in
d5bebc1c26.
Thanks Florent Messa for the report, and Jake Howard and Claude
Paroz for the review.
Backport of 0596263c31 from main.
Regression in 55d89e25f4.
This work improves the django.utils.text.wrap() function to ensure that
empty lines and lines with whitespace only are kept instead of being
dropped.
Thanks Matti Pohjanvirta for the report and fix.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Backport of 1e9db35836 from main.
This reverts commits b1324a680a and
02a5cbfe76. The former caused a regression
in admin sites that relied on the `object-tools` block being inside the
`content` block.
Thank you to Fabian Braun for the report.
Backport of 1bc805e23b from main.
Now that selected aliases are stored in sql.Query.selected: dict[str, Any]
the values_list() method must ensures that duplicate field name references are
assigned unique aliases.
Refs #28900.
Regression in 65ad4ade74.
Thanks Claude for the report.
Backport of 21f8be76d4 from main.
Regression in 65ad4ade74 which allowed for
annotations to be SELECT'ed before model field references through
values()/values_list() and broke assumptions the select_for_update(of)
table infererence logic had about model fields always being first.
Refs #28900.
Thanks OutOfFocus4 for the report and Sarah for the test.
Backport of 71a19a0e47 from main
Swapped to an allow list instead of a deny list for field types to
determine if the UNNEST optimization can be enabled to avoid further
surprises with other types that would require further specialization to
adapt.
Regression in a16eedcf9c.
Thanks Joshua Goodwin for the report and Sarah Boyce for the test.
Backport of 764af7a3d6 from main
Just like the In() lookup discards of None members TupleIn() should
discard tuples containing any None as NULL != NULL in SQL and the
framework expects such queries to be elided under some circumstances.
Refs #31667, #36116.
Thanks Basptise Mispelon for bisecting the regression to 626d77e.
Backport of f7f38f3a0b from main
Thank you Adam Johnson for the report and fix. Thank you Sarah Boyce for
your spot on analysis.
Regression in c09bceef68, which is
partially reverted in this branch.
Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
Backport of 27b68bcadf from main.
