1
0
mirror of https://github.com/django/django.git synced 2025-10-24 14:16:09 +00:00
Commit Graph

5462 Commits

Author SHA1 Message Date
Natalia
8c35a0a903 Fixed CVE-2024-45231 -- Avoided server error on password reset when email sending fails.
On successful submission of a password reset request, an email is sent
to the accounts known to the system. If sending this email fails (due to
email backend misconfiguration, service provider outage, network issues,
etc.), an attacker might exploit this by detecting which password reset
requests succeed and which ones generate a 500 error response.

Thanks to Thibaut Spriet for the report, and to Mariusz Felisiak, Adam
Johnson, and Sarah Boyce for the reviews.
2024-09-03 09:22:32 -03:00
Sarah Boyce
320dd27412 Fixed CVE-2024-45230 -- Mitigated potential DoS in urlize and urlizetrunc template filters.
Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
2024-09-03 09:22:32 -03:00
github-user-en
ad7f8129f3 Added EMAIL_USE_SSL to the 'Core Settings Topical Index' docs. 2024-09-03 10:16:20 +02:00
Hisham Mahmood
2b2a2c0e26 Fixed #35702 -- Removed connection pooling note for mysql drivers. 2024-08-30 09:08:32 +02:00
Adam Johnson
26a67943ac Removed outdated note about lack of subquery support in MySQL. 2024-08-28 15:55:30 -03:00
Mariusz Felisiak
2b9f0b79bc Fixed typo in docs/ref/models/expressions.txt. 2024-08-28 09:08:16 -03:00
Mariusz Felisiak
fed11ba461 Fixed typo in docs/ref/models/expressions.txt. 2024-08-28 09:08:16 -03:00
nabil-rady
231c0d8593 Fixed #35668 -- Added mapping support to format_html_join. 2024-08-20 08:20:34 +02:00
Clifford Gama
ca1318988c Fixed #35671 -- Clarified string-based fields behavior when null=False. 2024-08-20 08:09:39 +02:00
David Smith
5ae9922666 Fixed typo of --no-startup in django-admin docs. 2024-08-13 11:18:42 +02:00
Devin Cox
e03083917d Fixed #35586 -- Added support for set-returning database functions.
Aggregation optimization didn't account for not referenced set-returning annotations on Postgres.

Co-authored-by: Simon Charette <charette.s@gmail.com>
2024-08-12 15:35:19 +02:00
Mariusz Felisiak
f883bef054 Refs #35591 -- Removed hardcoded "stable" version in runserver warning. 2024-08-12 10:57:02 +02:00
Andrew Miller
69aa13ffb9 Fixed #35591 -- Added unsuitable for production console warning to runserver. 2024-08-09 10:34:10 +02:00
Jure Cuhalev
f8ef4579ea Doc'd that SessionMiddleware is required for the admin site.
The system check "admin.E410" was already checking for this, but the
requirement was not listed in docs/ref/contrib/admin/index.txt.
2024-08-08 08:48:41 -03:00
Andrew Miller
cec62fb99e Refs #35591 -- Emphasized that runserver is not suitable for production. 2024-08-08 10:08:53 +02:00
Adam Johnson
49815f70e4 Refs #31405 -- Improved LoginRequiredMiddleware documentation.
co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2024-08-08 10:05:31 +02:00
Mariusz Felisiak
304d256674 Used :pypi: role in docs where appropriate. 2024-08-05 10:35:50 -03:00
Natalia
90adba85b2 Refs #35380 -- Updated screenshots in admin docs. 2024-08-05 09:02:01 -03:00
Mariusz Felisiak
6d3464cff0 Refs #35601, Refs #35599 -- Made cosmetic edits to TelInput/ColorInput docs. 2024-08-02 17:40:53 -03:00
lucasesposito
b478cae006 Fixed #35601 -- Added TelInput widget. 2024-08-02 11:31:54 +02:00
arjunomray
946c3cf734 Fixed #35599 -- Added ColorInput widget. 2024-08-02 09:51:49 +02:00
Jeremy Thompson
30a60e8492 Fixed #35598 -- Added SearchInput widget. 2024-07-31 13:11:45 +02:00
Lorenzo Peña
0e94f292cd Fixed #35627 -- Raised a LookupError rather than an unhandled ValueError in get_supported_language_variant().
LocaleMiddleware didn't handle the ValueError raised by
get_supported_language_variant() when language codes were
over 500 characters.

Regression in 9e9792228a.
2024-07-25 09:38:46 +02:00
Sarah Boyce
8d6a20b656 Fixed #35604, Refs #35326 -- Made FileSystemStorage.exists() behaviour independent from allow_overwrite.
Partially reverts 0b33a3abc2.

Storage.exists(name) was documented to "return False if
the name is available for a new file." but return True if
the file exists. This is ambiguous in the overwrite file
case. It will now always return whether the file exists.

Thank you to Natalia Bidart and Josh Schneier for the
review.
2024-07-24 14:55:10 +02:00
Matthew Somerville
fb7be022cb Updated example links in urlize docs.
goo.gl links are being removed in 2025:
https://developers.googleblog.com/en/google-url-shortener-links-will-no-longer-be-available/
2024-07-23 14:02:30 +02:00
nessita
cf03aa4e94 Refs #10941 -- Reorganized querystring template tag docs. 2024-07-22 10:31:54 -03:00
Sarah Boyce
27043bde5b Refs #10941 -- Renamed query_string template tag to querystring. 2024-07-15 13:28:55 -03:00
Maryam Yusuf
b5f4d76bc4 Fixed #35464 -- Updated docs to note fieldsets have limited impact on TabularInlines. 2024-07-15 12:43:42 +02:00
Sarah Boyce
9e9792228a Fixed CVE-2024-39614 -- Mitigated potential DoS in get_supported_language_variant().
Language codes are now parsed with a maximum length limit of 500 chars.

Thanks to MProgrammer for the report.
2024-07-09 09:21:19 -03:00
Mariusz Felisiak
f302343380 Removed outdated note about limitations in Clickjacking protection.
There is no need to list old browser versions or point users to
workarounds.
2024-07-04 18:08:19 -03:00
Carlton Gibson
704192e478 Removed unneeded hyphens in "counterintuitive".
Follow-up to 65ad4ade74 which added
counterintuitive to the wordlist. Removes unneeded (antiquated)
hyphenated usages.

See e.g. https://www.merriam-webster.com/dictionary/counterintuitive
2024-07-04 08:30:19 +02:00
Simon Charette
65ad4ade74 Refs #28900 -- Made SELECT respect the order specified by values(*selected).
Previously the order was always extra_fields + model_fields + annotations with
respective local ordering inferred from the insertion order of *selected.

This commits introduces a new `Query.selected` propery that keeps tracks of the
global select order as specified by on values assignment. This is crucial
feature to allow the combination of queries mixing annotations and table
references.

It also allows the removal of the re-ordering shenanigans perform by
ValuesListIterable in order to re-map the tuples returned from the database
backend to the order specified by values_list() as they'll be in the right
order at query compilation time.

Refs #28553 as the initially reported issue that was only partially fixed
for annotations by d6b6e5d0fd.

Thanks Mariusz Felisiak and Sarah Boyce for review.
2024-07-03 16:36:25 +02:00
Andrew Miller
aa74c4083e Fixed #23790 -- Warned about renaming AppConfig.label in docs/ref/applications.txt. 2024-07-01 21:52:04 -03:00
Sarah Boyce
72b7b59680 Optimized admin docs images. 2024-06-25 17:45:20 -03:00
nessita
bcc327aa32 Refs #35380 -- Updated screenshots in admin docs.
When listing users, ensure that user first and last name are diverse.
2024-06-25 10:58:36 -03:00
lufafajoshua
3ac0e43207 Fixed #35306 -- Documented fallback localization formats in templates when localization is disabled. 2024-06-24 18:06:44 +02:00
John Higgins
60acad933d Fixed #35441 -- Documented Context and RequestContext keyword arguments. 2024-06-20 09:34:55 +02:00
Baptiste Mispelon
62300b81cf Fixed #12978 -- Added support for RSS feed stylesheets. 2024-06-18 17:25:43 +02:00
stefan.ivic
ce1ad98565 Fixed #35505 -- Added extrabody block to admin/base.html. 2024-06-18 16:49:53 +02:00
lufafajoshua
8733e9af99 Fixed #35470 -- Separated i18n and l10n globalization settings docs. 2024-06-13 09:09:46 +02:00
lufafajoshua
e2428292ab Fixed #35401 -- Documented the conditional_page() decorator. 2024-06-12 13:11:29 +02:00
lufafajoshua
708b01c795 Refs #35401 -- Linked the CsrfViewMiddleware docs to the csrf_protect() decorator. 2024-06-12 13:11:29 +02:00
Mariusz Felisiak
0f694ce2eb Made cosmetic edits to code snippets reformatted with blacken-docs. 2024-05-30 09:42:05 -03:00
Jake Howard
ff308a0604 Fixed 35467 -- Replaced urlparse with urlsplit where appropriate.
This work should not generate any change of functionality, and
`urlsplit` is approximately 6x faster.

Most use cases of `urlparse` didn't touch the path, so they can be
converted to `urlsplit` without any issue. Most of those which do use
`.path`, simply parse the URL, mutate the querystring, then put them
back together, which is also fine (so long as urlunsplit is used).
2024-05-29 10:48:27 -03:00
Simon Törnqvist
d3a7ed5bcc Fixed #35443 -- Changed ordinal to return negative numbers unchanged.
Previously, `-1` was converted to `"-1th"`. This has been updated to
return negative numbers "as is", so that for example `-1` is
converted to `"-1"`. This is now explicit in the docs.

Co-authored-by: Martin Jonson <artin.onson@gmail.com>
2024-05-27 10:54:25 +02:00
Mariusz Felisiak
b049bec7cf Fixed #35479 -- Dropped support for PostgreSQL 13 and PostGIS 3.0. 2024-05-27 09:49:25 +02:00
Adam Zapletal
99273fd525 Fixed #24076 -- Added warnings on usage of dates with DateTimeField and datetimes with DateField. 2024-05-23 12:03:57 +02:00
Natalia
05cce083ad Removed versionadded/changed annotations for 5.0.
This also removes remaining versionadded/changed annotations for older
versions.
2024-05-22 15:44:07 -03:00
Hisham Mahmood
c7fc9f20b4 Fixed #31405 -- Added LoginRequiredMiddleware.
Co-authored-by: Adam Johnson <me@adamj.eu>
Co-authored-by: Mehmet İnce <mehmet@mehmetince.net>
Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2024-05-22 08:51:17 +02:00
Natalia
676060d683 Refs #35189 -- Updated ModelAdmin.fieldsets screenshot in admin docs. 2024-05-22 00:13:55 -03:00