ebertti / django-admin-easy

Collection of admin fields and decorators to help to create computed or custom fields more friendly and easy way
https://pypi.org/project/django-admin-easy/
MIT License
471 stars 29 forks source link

Pin django to latest version 1.11 #31

Closed pyup-bot closed 7 years ago

pyup-bot commented 7 years ago

django is not pinned to a specific version.

I'm pinning it to the latest version 1.11 for now.

These links might come in handy: PyPI | Changelog | Homepage

Changelog

1.10.7

===========================

April 4, 2017

Django 1.10.7 fixes two security issues and a bug in 1.10.6.

CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs

Django relies on user input in some cases (e.g. :func:django.contrib.auth.views.login and :doc:i18n </topics/i18n/index>) to redirect the user to an "on success" URL. The security check for these redirects (namely django.utils.http.is_safe_url()) considered some numeric URLs (e.g. http:999999999) "safe" when they shouldn't be.

Also, if a developer relies on is_safe_url() to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack.

CVE-2017-7234: Open redirect vulnerability in django.views.static.serve()

A maliciously crafted URL to a Django site using the :func:~django.views.static.serve view could redirect to any other domain. The view no longer does any redirects as they don't provide any known, useful functionality.

Note, however, that this view has always carried a warning that it is not hardened for production use and should be used only as a development aid.

Bugfixes

  • Made admin's RelatedFieldWidgetWrapper use the wrapped widget's value_omitted_from_data() method (:ticket:27905).

  • Fixed model form default fallback for SelectMultiple (:ticket:27993).

===========================

1.10.6

===========================

March 1, 2017

Django 1.10.6 fixes several bugs in 1.10.5.

Bugfixes

  • Fixed ClearableFileInput’s "Clear" checkbox on model form fields where the model field has a default (:ticket:27805).

  • Fixed RequestDataTooBig and TooManyFieldsSent exceptions crashing rather than generating a bad request response (:ticket:27820).

  • Fixed a crash on Oracle and PostgreSQL when subtracting DurationField or IntegerField from DateField (:ticket:27828).

  • Fixed query expression date subtraction accuracy on PostgreSQL for differences larger than a month (:ticket:27856).

  • Fixed a GDALException raised by GDALClose on GDAL ≥ 2.0 (:ticket:27479).

===========================

1.10.5

===========================

January 4, 2017

Django 1.10.5 fixes several bugs in 1.10.4.

Bugfixes

  • Fixed a crash in the debug view if request.user can't be retrieved, such as if the database is unavailable (:ticket:27567).

  • Fixed occasional missing plural forms in JavaScriptCatalog (:ticket:27418).

  • Fixed a regression in the timesince and timeuntil filters that caused incorrect results for dates in a leap year (:ticket:27637).

  • Fixed a regression where collectstatic overwrote newer files in remote storages (:ticket:27658).

===========================

1.10.4

===========================

December 1, 2016

Django 1.10.4 fixes several bugs in 1.10.3.

Bugfixes

  • Quoted the Oracle test user's password in queries to fix the "ORA-00922: missing or invalid option" error when the password starts with a number or special character (:ticket:27420).

  • Fixed incorrect app_label / model_name arguments for allow_migrate() in makemigrations migration consistency checks (:ticket:27461).

  • Made Model.delete(keep_parents=True) preserve parent reverse relationships in multi-table inheritance (:ticket:27407).

  • Fixed a QuerySet.update() crash on SQLite when updating a DateTimeField with an F() expression and a timedelta (:ticket:27544).

  • Prevented LocaleMiddleware from redirecting on URLs that should return 404 when using prefix_default_language=False (:ticket:27402).

  • Prevented an unnecessary index from being created on an InnoDB ForeignKey when the field was added after the model was created (:ticket:27558).

===========================

1.10.3

===========================

November 1, 2016

Django 1.10.3 fixes two security issues and several bugs in 1.10.2.

User with hardcoded password created when running tests on Oracle

When running tests with an Oracle database, Django creates a temporary database user. In older versions, if a password isn't manually specified in the database settings TEST dictionary, a hardcoded password is used. This could allow an attacker with network access to the database server to connect.

This user is usually dropped after the test suite completes, but not when using the manage.py test --keepdb option or if the user has an active session (such as an attacker's connection).

A randomly generated password is now used for each test run.

DNS rebinding vulnerability when DEBUG=True

Older versions of Django don't validate the Host header against settings.ALLOWED_HOSTS when settings.DEBUG=True. This makes them vulnerable to a DNS rebinding attack <http://benmmurphy.github.io/blog/2016/07/11/rails-webconsole-dns-rebinding/>_.

While Django doesn't ship a module that allows remote code execution, this is at least a cross-site scripting vector, which could be quite serious if developers load a copy of the production database in development or connect to some production services for which there's no development instance, for example. If a project uses a package like the django-debug-toolbar, then the attacker could execute arbitrary SQL, which could be especially bad if the developers connect to the database with a superuser account.

settings.ALLOWED_HOSTS is now validated regardless of DEBUG. For convenience, if ALLOWED_HOSTS is empty and DEBUG=True, the following variations of localhost are allowed ['localhost', '127.0.0.1', '::1']. If your local settings file has your production ALLOWED_HOSTS value, you must now omit it to get those fallback values.

Bugfixes

  • Allowed User.is_authenticated and User.is_anonymous properties to be tested for set membership (:ticket:27309).

  • Fixed a performance regression when running migrate in projects with RenameModel operations (:ticket:27279).

  • Added model_name to the allow_migrate() calls in makemigrations (:ticket:27200).

  • Made the JavaScriptCatalog view respect the packages argument; previously it was ignored (:ticket:27374).

  • Fixed QuerySet.bulk_create() on PostgreSQL when the number of objects is a multiple plus one of batch_size (:ticket:27385).

  • Prevented i18n_patterns() from using too much of the URL as the language to fix a use case for prefix_default_language=False (:ticket:27063).

  • Replaced a possibly incorrect redirect from SessionMiddleware when a session is destroyed in a concurrent request with a SuspiciousOperation to indicate that the request can't be completed (:ticket:27363).

===========================

1.10.2

===========================

October 1, 2016

Django 1.10.2 fixes several bugs in 1.10.1.

Bugfixes

  • Fixed a crash in MySQL database validation where SELECT sql_mode doesn't return a result (:ticket:27180).

  • Allowed combining contrib.postgres.search.SearchQuery with more than one & or | operators (:ticket:27143).

  • Disabled system check for URL patterns beginning with a '/' when APPEND_SLASH=False (:ticket:27238).

  • Fixed model form default fallback for CheckboxSelectMultiple, MultiWidget, FileInput, SplitDateTimeWidget, SelectDateWidget, and SplitArrayWidget (:ticket:27186). Custom widgets affected by this issue should implement :meth:~django.forms.Widget.value_omitted_from_data.

  • Fixed a crash in runserver logging during a "Broken pipe" error (:ticket:27271).

  • Fixed a regression where unchanged localized date/time fields were listed as changed in the admin's model history messages (:ticket:27302).

===========================

1.10.1

===========================

September 1, 2016

Django 1.10.1 fixes several bugs in 1.10.

Bugfixes

  • Fixed a crash in MySQL connections where SELECT SQL_AUTO_IS_NULL doesn't return a result (:ticket:26991).

  • Allowed User.is_authenticated and User.is_anonymous properties to be compared using ==, !=, and | (:ticket:26988, :ticket:27154).

  • Removed the broken BaseCommand.usage() method which was for optparse support (:ticket:27000).

  • Fixed a checks framework crash with an empty Meta.default_permissions (:ticket:26997).

  • Fixed a regression in the number of queries when using RadioSelect with a ModelChoiceField form field (:ticket:27001).

  • Fixed a crash if request.META['CONTENT_LENGTH'] is an empty string (:ticket:27005).

  • Fixed the isnull lookup on a ForeignKey with its to_field pointing to a CharField or pointing to a CharField defined with primary_key=True (:ticket:26983).

  • Prevented the migrate command from raising InconsistentMigrationHistory in the presence of unapplied squashed migrations (:ticket:27004).

  • Fixed a regression in Client.force_login() which required specifying a backend rather than automatically using the first one if multiple backends are configured (:ticket:27027).

  • Made QuerySet.bulk_create() properly initialize model instances on backends, such as PostgreSQL, that support returning the IDs of the created records so that many-to-many relationships can be used on the new objects (:ticket:27026).

  • Fixed crash of django.views.static.serve() with show_indexes enabled (:ticket:26973).

  • Fixed ClearableFileInput to avoid the required HTML attribute when initial data exists (:ticket:27037).

  • Fixed annotations with database functions when combined with lookups on PostGIS (:ticket:27014).

  • Reallowed the {% for %} tag to unpack any iterable (:ticket:27058).

  • Made makemigrations skip inconsistent history checks on non-default databases if database routers aren't in use or if no apps can be migrated to the database (:ticket:27054, :ticket:27110, :ticket:27142).

  • Removed duplicated managers in Model._meta.managers (:ticket:27073).

  • Fixed contrib.admindocs crash when a view is in a class, such as some of the admin views (:ticket:27018).

  • Reverted a few admin checks that checked field.many_to_many back to isinstance(field, models.ManyToManyField) since it turned out the checks weren't suitable to be generalized like that (:ticket:26998).

  • Added the database alias to the InconsistentMigrationHistory message raised by makemigrations and migrate (:ticket:27089).

  • Fixed the creation of ContentType and Permission objects for models of applications without migrations when calling the migrate command with no migrations to apply (:ticket:27044).

  • Included the already applied migration state changes in the Apps instance provided to the pre_migrate signal receivers to allow ContentType renaming to be performed on model rename (:ticket:27100).

  • Reallowed subclassing UserCreationForm without USERNAME_FIELD in Meta.fields (:ticket:27111).

  • Fixed a regression in model forms where model fields with a default that didn't appear in POST data no longer used the default (:ticket:27039).

=========================

1.10

=========================

August 1, 2016

Welcome to Django 1.10!

These release notes cover the :ref:new features <whats-new-1.10>, as well as some :ref:backwards incompatible changes <backwards-incompatible-1.10> you'll want to be aware of when upgrading from Django 1.9 or older versions. We've :ref:dropped some features <removed-features-1.10> that have reached the end of their deprecation cycle, and we've :ref:begun the deprecation process for some features <deprecated-features-1.10>.

See the :doc:/howto/upgrade-version guide if you're updating an existing project.

Python compatibility

Like Django 1.9, Django 1.10 requires Python 2.7, 3.4, or 3.5. We highly recommend and only officially support the latest release of each series.

.. _whats-new-1.10:

What's new in Django 1.10

Full text search for PostgreSQL

django.contrib.postgres now includes a :doc:collection of database functions </ref/contrib/postgres/search> to allow the use of the full text search engine. You can search across multiple fields in your relational database, combine the searches with other lookups, use different language configurations and weightings, and rank the results by relevance.

It also now includes trigram support, using the :lookup:trigram_similar lookup, and the :class:~django.contrib.postgres.search.TrigramSimilarity and :class:~django.contrib.postgres.search.TrigramDistance expressions.

New-style middleware

:doc:A new style of middleware is introduced </topics/http/middleware> to solve the lack of strict request/response layering of the old-style of middleware described in DEP 0005 <https://github.com/django/deps/blob/master/final/0005-improved-middleware.rst>_. You'll need to :ref:adapt old, custom middleware <upgrading-middleware> and switch from the MIDDLEWARE_CLASSES setting to the new :setting:MIDDLEWARE setting to take advantage of the improvements.

Official support for Unicode usernames

The :class:~django.contrib.auth.models.User model in django.contrib.auth originally only accepted ASCII letters in usernames. Although it wasn't a deliberate choice, Unicode characters have always been accepted when using Python 3.

The username validator now explicitly accepts Unicode letters by default on Python 3 only. This default behavior can be overridden by changing the :attr:~django.contrib.auth.models.User.username_validator attribute of the User model, or to any proxy of that model, using either :class:~django.contrib.auth.validators.ASCIIUsernameValidator or :class:~django.contrib.auth.validators.UnicodeUsernameValidator. Custom user models may also use those validators.

Minor features

:mod:django.contrib.admin


* For sites running on a subpath, the default :attr:`URL for the "View site"
 link <django.contrib.admin.AdminSite.site_url>` at the top of each admin page
 will now point to ``request.META['SCRIPT_NAME']`` if set, instead of ``/``.

* The success message that appears after adding or editing an object now
 contains a link to the object's change form.

* All inline JavaScript is removed so you can enable the
 ``Content-Security-Policy`` HTTP header if you wish.

* The new :attr:`InlineModelAdmin.classes
 <django.contrib.admin.InlineModelAdmin.classes>` attribute allows specifying
 classes on inline fieldsets. Inlines with a ``collapse`` class will be
 initially collapsed and their header will have a small "show" link.

* If a user doesn't have the add permission, the ``object-tools`` block on a
 model's changelist will now be rendered (without the add button, of course).
 This makes it easier to add custom tools in this case.

* The :class:`~django.contrib.admin.models.LogEntry` model now stores change
 messages in a JSON structure so that the message can be dynamically translated
 using the current active language. A new ``LogEntry.get_change_message()``
 method is now the preferred way of retrieving the change message.

* Selected objects for fields in ``ModelAdmin.raw_id_fields`` now have a link
 to object's change form.

* Added "No date" and "Has date" choices for ``DateFieldListFilter`` if the
 field is nullable.

* The jQuery library embedded in the admin is upgraded from version 2.1.4 to
 2.2.3.

:mod:`django.contrib.auth`
  • Added support for the :ref:Argon2 password hash <argon2_usage>. It's recommended over PBKDF2, however, it's not the default as it requires a third-party library.

  • The default iteration count for the PBKDF2 password hasher has been increased by 25%. This backwards compatible change will not affect users who have subclassed django.contrib.auth.hashers.PBKDF2PasswordHasher to change the default value.

  • The :func:~django.contrib.auth.views.logout view sends "no-cache" headers to prevent an issue where Safari caches redirects and prevents a user from being able to log out.

  • Added the optional backend argument to :func:~django.contrib.auth.login to allow using it without credentials.

  • The new :setting:LOGOUT_REDIRECT_URL setting controls the redirect of the :func:~django.contrib.auth.views.logout view, if the view doesn't get a next_page argument.

  • The new redirect_authenticated_user parameter for the :func:~django.contrib.auth.views.login view allows redirecting authenticated users visiting the login page.

  • The new :class:~django.contrib.auth.backends.AllowAllUsersModelBackend and :class:~django.contrib.auth.backends.AllowAllUsersRemoteUserBackend ignore the value of User.is_active, while :class:~django.contrib.auth.backends.ModelBackend and :class:~django.contrib.auth.backends.RemoteUserBackend now reject inactive users.

:mod:django.contrib.gis


* :ref:`Distance lookups <distance-lookups>` now accept expressions as the
 distance value parameter.

* The new :attr:`GEOSGeometry.unary_union
 <django.contrib.gis.geos.GEOSGeometry.unary_union>` property computes the
 union of all the elements of this geometry.

* Added the :meth:`GEOSGeometry.covers()
 <django.contrib.gis.geos.GEOSGeometry.covers>` binary predicate.

* Added the :meth:`GDALBand.statistics()
 <django.contrib.gis.gdal.GDALBand.statistics>` method and
 :attr:`~django.contrib.gis.gdal.GDALBand.mean`
 and :attr:`~django.contrib.gis.gdal.GDALBand.std` attributes.

* Added support for the :class:`~django.contrib.gis.db.models.MakeLine`
 aggregate and :class:`~django.contrib.gis.db.models.functions.GeoHash`
 function on SpatiaLite.

* Added support for the
 :class:`~django.contrib.gis.db.models.functions.Difference`,
 :class:`~django.contrib.gis.db.models.functions.Intersection`, and
 :class:`~django.contrib.gis.db.models.functions.SymDifference`
 functions on MySQL.

* Added support for instantiating empty GEOS geometries.

* The new :attr:`~django.contrib.gis.geos.WKTWriter.trim` and
 :attr:`~django.contrib.gis.geos.WKTWriter.precision` properties
 of :class:`~django.contrib.gis.geos.WKTWriter` allow controlling
 output of the fractional part of the coordinates in WKT.

* Added the :attr:`LineString.closed
 <django.contrib.gis.geos.LineString.closed>` and
 :attr:`MultiLineString.closed
 <django.contrib.gis.geos.MultiLineString.closed>` properties.

* The :doc:`GeoJSON serializer </ref/contrib/gis/serializers>` now outputs the
 primary key of objects in the ``properties`` dictionary if specific fields
 aren't specified.

* The ability to replicate input data on the :meth:`GDALBand.data()
 <django.contrib.gis.gdal.GDALBand.data>` method was added. Band data can
 now be updated with repeated values efficiently.

* Added database functions
 :class:`~django.contrib.gis.db.models.functions.IsValid` and
 :class:`~django.contrib.gis.db.models.functions.MakeValid`, as well as the
 :lookup:`isvalid` lookup, all for PostGIS. This allows filtering and
 repairing invalid geometries on the database side.

* Added raster support for all :doc:`spatial lookups
 </ref/contrib/gis/geoquerysets>`.

:mod:`django.contrib.postgres`
  • For convenience, :class:~django.contrib.postgres.fields.HStoreField now casts its keys and values to strings.

:mod:django.contrib.sessions


* The :djadmin:`clearsessions` management command now removes file-based
 sessions.

:mod:`django.contrib.sites`
  • The :class:~django.contrib.sites.models.Site model now supports :ref:natural keys <topics-serialization-natural-keys>.

:mod:django.contrib.staticfiles


* The :ttag:`static` template tag now uses ``django.contrib.staticfiles``
 if it's in ``INSTALLED_APPS``. This is especially useful for third-party apps
 which can now always use ``{% load static %}`` (instead of
 ``{% load staticfiles %}`` or ``{% load static from staticfiles %}``) and
 not worry about whether or not the ``staticfiles`` app is installed.

* You can :ref:`more easily customize <customize-staticfiles-ignore-patterns>`
 the ``collectstatic --ignore_patterns`` option with a custom ``AppConfig``.

Cache
  • The file-based cache backend now uses the highest pickling protocol.

CSRF


* The default :setting:`CSRF_FAILURE_VIEW`, ``views.csrf.csrf_failure()`` now
 accepts an optional ``template_name`` parameter, defaulting to
 ``'403_csrf.html'``, to control the template used to render the page.

* To protect against `BREACH`_ attacks, the CSRF protection mechanism now
 changes the form token value on every request (while keeping an invariant
 secret which can be used to validate the different tokens).

.. _BREACH: http://breachattack.com/

Database backends
  • Temporal data subtraction was unified on all backends.

  • If the database supports it, backends can set DatabaseFeatures.can_return_ids_from_bulk_insert=True and implement DatabaseOperations.fetch_returned_insert_ids() to set primary keys on objects created using QuerySet.bulk_create().

  • Added keyword arguments to the as_sql() methods of various expressions (Func, When, Case, and OrderBy) to allow database backends to customize them without mutating self, which isn't safe when using different database backends. See the arg_joiner and **extra_context parameters of :meth:Func.as_sql() <django.db.models.Func.as_sql> for an example.

File Storage


* Storage backends now present a timezone-aware API with new methods
 :meth:`~django.core.files.storage.Storage.get_accessed_time`,
 :meth:`~django.core.files.storage.Storage.get_created_time`, and
 :meth:`~django.core.files.storage.Storage.get_modified_time`. They return a
 timezone-aware ``datetime`` if :setting:`USE_TZ` is ``True`` and a naive
 ``datetime`` in the local timezone otherwise.

* The new :meth:`Storage.generate_filename()
 <django.core.files.storage.Storage.generate_filename>` method makes it easier
 to implement custom storages that don't use the ``os.path`` calls previously
 in :class:`~django.db.models.FileField`.

Forms
  • Form and widget Media is now served using :mod:django.contrib.staticfiles if installed.

  • The <input> tag rendered by :class:~django.forms.CharField now includes a minlength attribute if the field has a min_length.

  • Required form fields now have the required HTML attribute. Set the new :attr:Form.use_required_attribute <django.forms.Form.use_required_attribute> attribute to False to disable it. The required attribute isn't included on forms of formsets because the browser validation may not be correct when adding and deleting formsets.

Generic Views


* The :class:`~django.views.generic.base.View` class can now be imported from
 ``django.views``.

Internationalization
  • The :func:~django.conf.urls.i18n.i18n_patterns helper function can now be used in a root URLConf specified using :attr:request.urlconf <django.http.HttpRequest.urlconf>.

  • By setting the new prefix_default_language parameter for :func:~django.conf.urls.i18n.i18n_patterns to False, you can allow accessing the default language without a URL prefix.

  • :func:~django.views.i18n.set_language now returns a 204 status code (No Content) for AJAX requests when there is no next parameter in POST or GET.

  • The :class:~django.views.i18n.JavaScriptCatalog and :class:~django.views.i18n.JSONCatalog class-based views supersede the deprecated javascript_catalog() and json_catalog() function-based views. The new views are almost equivalent to the old ones except that by default the new views collect all JavaScript strings in the djangojs translation domain from all installed apps rather than only the JavaScript strings from :setting:LOCALE_PATHS.

Management Commands


* :func:`~django.core.management.call_command` now returns the value returned
 from the ``command.handle()`` method.

* The new :option:`check --fail-level` option allows specifying the message
 level that will cause the command to exit with a non-zero status.

* The new :option:`makemigrations --check` option makes the command exit
 with a non-zero status when model changes without migrations are detected.

* :djadmin:`makemigrations` now displays the path to the migration files that
 it generates.

* The :option:`shell --interface` option now accepts ``python`` to force use of
 the "plain" Python interpreter.

* The new :option:`shell --command` option lets you run a command as Django and
 exit, instead of opening the interactive shell.

* Added a warning to :djadmin:`dumpdata` if a proxy model is specified (which
 results in no output) without its concrete parent.

* The new :attr:`BaseCommand.requires_migrations_checks
 <django.core.management.BaseCommand.requires_migrations_checks>` attribute
 may be set to ``True`` if you want your command to print a warning, like
 :djadmin:`runserver` does, if the set of migrations on disk don't match the
 migrations in the database.

* To assist with testing, :func:`~django.core.management.call_command` now
 accepts a command object as the first argument.

* The :djadmin:`shell` command supports tab completion on systems using
 ``libedit``, e.g. Mac OSX.

* The :djadmin:`inspectdb` command lets you choose what tables should be
 inspected by specifying their names as arguments.

Migrations
  • Added support for serialization of enum.Enum objects.

  • Added the elidable argument to the :class:~django.db.migrations.operations.RunSQL and :class:~django.db.migrations.operations.RunPython operations to allow them to be removed when squashing migrations.

  • Added support for :ref:non-atomic migrations <non-atomic-migrations> by setting the atomic attribute on a Migration.

  • The migrate and makemigrations commands now :ref:check for a consistent migration history <migration-history-consistency>. If they find some unapplied dependencies of an applied migration, InconsistentMigrationHistory is raised.

  • The :func:~django.db.models.signals.pre_migrate and :func:~django.db.models.signals.post_migrate signals now dispatch their migration plan and apps.

Models


* Reverse foreign keys from proxy models are now propagated to their
 concrete class. The reverse relation attached by a
 :class:`~django.db.models.ForeignKey` pointing to a proxy model is now
 accessible as a descriptor on the proxied model class and may be referenced in
 queryset filtering.

* The new :meth:`Field.rel_db_type() <django.db.models.Field.rel_db_type>`
 method returns the database column data type for fields such as ``ForeignKey``
 and ``OneToOneField`` that point to another field.

* The :attr:`~django.db.models.Func.arity` class attribute is added to
 :class:`~django.db.models.Func`. This attribute can be used to set the number
 of arguments the function accepts.

* Added :class:`~django.db.models.BigAutoField` which acts much like an
 :class:`~django.db.models.AutoField` except that it is guaranteed
 to fit numbers from ``1`` to ``9223372036854775807``.

* :meth:`QuerySet.in_bulk() <django.db.models.query.QuerySet.in_bulk>`
 may be called without any arguments to return all objects in the queryset.

* :attr:`~django.db.models.ForeignKey.related_query_name` now supports
 app label and class interpolation using the ``'%(app_label)s'`` and
 ``'%(class)s'`` strings.

* Allowed overriding model fields inherited from abstract base classes.

* The :func:`~django.db.models.prefetch_related_objects` function is now a
 public API.

* :meth:`QuerySet.bulk_create() <django.db.models.query.QuerySet.bulk_create>`
 sets the primary key on objects when using PostgreSQL.

* Added the :class:`~django.db.models.functions.Cast` database function.

* A proxy model may now inherit multiple proxy models that share a common
 non-abstract parent class.

* Added :class:`~django.db.models.functions.datetime.Extract` functions
 to extract datetime components as integers, such as year and hour.

* Added :class:`~django.db.models.functions.datetime.Trunc` functions to
 truncate a date or datetime to a significant component. They enable queries
 like sales-per-day or sales-per-hour.

* ``Model.__init__()`` now sets values of virtual fields from its keyword
 arguments.

* The new :attr:`Meta.base_manager_name
 <django.db.models.Options.base_manager_name>` and
 :attr:`Meta.default_manager_name
 <django.db.models.Options.default_manager_name>` options allow controlling
 the :attr:`~django.db.models.Model._base_manager` and
 :attr:`~django.db.models.Model._default_manager`, respectively.

Requests and Responses
  • Added request.user to the debug view.

  • Added :class:~django.http.HttpResponse methods :meth:~django.http.HttpResponse.readable() and :meth:~django.http.HttpResponse.seekable() to make an instance a stream-like object and allow wrapping it with :py:class:io.TextIOWrapper.

  • Added the :attr:HttpResponse.content_type <django.http.HttpRequest.content_type> and :attr:~django.http.HttpRequest.content_params attributes which are parsed from the CONTENT_TYPE header.

  • The parser for request.COOKIES is simplified to better match the behavior of browsers. request.COOKIES may now contain cookies that are invalid according to :rfc:6265 but are possible to set via document.cookie.

Serialization


* The ``django.core.serializers.json.DjangoJSONEncoder`` now knows how to
 serialize lazy strings, typically used for translatable content.

Templates
  • Added the autoescape option to the :class:~django.template.backends.django.DjangoTemplates backend and the :class:~django.template.Engine class.

  • Added the is and is not comparison operators to the :ttag:if tag.

  • Allowed :tfilter:dictsort to order a list of lists by an element at a specified index.

  • The :func:~django.template.context_processors.debug context processor contains queries for all database aliases instead of only the default alias.

  • Added relative path support for string arguments of the :ttag:extends and :ttag:include template tags.

Tests


* To better catch bugs, :class:`~django.test.TestCase` now checks deferrable
 database constraints at the end of each test.

* Tests and test cases can be :ref:`marked with tags <topics-tagging-tests>`
 and run selectively with the new :option:`test --tag` and :option:`test
 --exclude-tag` options.

* You can now login and use sessions with the test client even if
 :mod:`django.contrib.sessions` is not in :setting:`INSTALLED_APPS`.

URLs
  • An addition in :func:django.setup() allows URL resolving that happens outside of the request/response cycle (e.g. in management commands and standalone scripts) to take :setting:FORCE_SCRIPT_NAME into account when it is set.

Validators



* :class:`~django.core.validators.URLValidator` now limits the length of
 domain name labels to 63 characters and the total length of domain
 names to 253 characters per :rfc:`1034`.

* :func:`~django.core.validators.int_list_validator` now accepts an optional
 ``allow_negative`` boolean parameter, defaulting to ``False``, to allow
 negative integers.

.. _backwards-incompatible-1.10:

Backwards incompatible changes in 1.10
======================================

.. warning::

   In addition to the changes outlined in this section, be sure to review the
   :ref:`removed-features-1.10` for the features that have reached the end of
   their deprecation cycle and therefore been removed. If you haven't updated
   your code within the deprecation timeline for a given feature, its removal
   may appear as a backwards incompatible change.

Database backend API
--------------------

* GIS's ``AreaField`` uses an unspecified underlying numeric type that could in
 practice be any numeric Python type. ``decimal.Decimal`` values retrieved
 from the database are now converted to ``float`` to make it easier to combine
 them with values used by the GIS libraries.

* In order to enable temporal subtraction you must set the
 ``supports_temporal_subtraction`` database feature flag to ``True`` and
 implement the ``DatabaseOperations.subtract_temporals()`` method. This
 method should return the SQL and parameters required to compute the
 difference in microseconds between the ``lhs`` and ``rhs`` arguments in the
 datatype used to store :class:`~django.db.models.DurationField`.

``select_related()`` prohibits non-relational fields for nested relations
-------------------------------------------------------------------------

Django 1.8 added validation for non-relational fields in ``select_related()``::

   >>> Book.objects.select_related('title')
   Traceback (most recent call last):
   ...
   FieldError: Non-relational field given in select_related: 'title'

But it didn't prohibit nested non-relation fields as it does now::

   >>> Book.objects.select_related('author__name')
   Traceback (most recent call last):
   ...
   FieldError: Non-relational field given in select_related: 'name'

``_meta.get_fields()`` returns consistent reverse fields for proxy models
-------------------------------------------------------------------------

Before Django 1.10, the :meth:`~django.db.models.options.Options.get_fields`
method returned different reverse fields when called on a proxy model compared
to its proxied concrete class. This inconsistency was fixed by returning the
full set of fields pointing to a concrete class or one of its proxies in both
cases.

:attr:`AbstractUser.username <django.contrib.auth.models.User.username>` ``max_length`` increased to 150
--------------------------------------------------------------------------------------------------------

A migration for :attr:`django.contrib.auth.models.User.username` is included.
If you have a custom user model inheriting from ``AbstractUser``, you'll need
to generate and apply a database migration for your user model.

We considered an increase to 254 characters to more easily allow the use of
email addresses (which are limited to 254 characters) as usernames but rejected
it due to a MySQL limitation.  When using the ``utf8mb4`` encoding (recommended
for proper Unicode support), MySQL can only create unique indexes with 191
characters by default. Therefore, if you need a longer length, please use a
custom user model.

If you want to preserve the 30 character limit for usernames, use a custom form
when creating a user or changing usernames::

   from django.contrib.auth.forms import UserCreationForm

   class MyUserCreationForm(UserCreationForm):
       username = forms.CharField(
           max_length=30,
           help_text='Required. 30 characters or fewer. Letters, digits and /./+/-/_ only.',
       )

If you wish to keep this restriction in the admin, set ``UserAdmin.add_form``
to use this form::

   from django.contrib.auth.admin import UserAdmin as BaseUserAdmin
   from django.contrib.auth.models import User

   class UserAdmin(BaseUserAdmin):
       add_form = MyUserCreationForm

   admin.site.unregister(User)
   admin.site.register(User, UserAdmin)

Dropped support for PostgreSQL 9.1
----------------------------------

Upstream support for PostgreSQL 9.1 ends in September 2016. As a consequence,
Django 1.10 sets PostgreSQL 9.2 as the minimum version it officially supports.

``runserver`` output goes through logging
-----------------------------------------

Request and response handling of the ``runserver`` command is sent to the
:ref:`django-server-logger` logger instead of to ``sys.stderr``. If you
disable Django's logging configuration or override it with your own, you'll
need to add the appropriate logging configuration if you want to see that
output::

   'formatters': {
       'django.server': {
           '()': 'django.utils.log.ServerFormatter',
           'format': '[%(server_time)s] %(message)s',
       }
   },
   'handlers': {
       'django.server': {
           'level': 'INFO',
           'class': 'logging.StreamHandler',
           'formatter': 'django.server',
       },
   },
   'loggers': {
       'django.server': {
           'handlers': ['django.server'],
           'level': 'INFO',
           'propagate': False,
       }
   }

``auth.CustomUser`` and ``auth.ExtensionUser`` test models were removed
-----------------------------------------------------------------------

Since the introduction of migrations for the contrib apps in Django 1.8, the
tables of these custom user test models were not created anymore making them
unusable in a testing context.

Apps registry is no longer auto-populated when unpickling models outside of Django
----------------------------------------------------------------------------------

The apps registry is no longer auto-populated when unpickling models. This was
added in Django 1.7.2 as an attempt to allow unpickling models outside of
Django, such as in an RQ worker, without calling ``django.setup()``, but it
creates the possibility of a deadlock. To adapt your code in the case of RQ,
you can `provide your own worker script <http://python-rq.org/docs/workers/>`_
that calls ``django.setup()``.

Removed null assignment check for non-null foreign key fields
-------------------------------------------------------------

In older versions, assigning ``None`` to a non-nullable ``ForeignKey`` or
``OneToOneField`` raised ``ValueError('Cannot assign None: "model.field" does
not allow null values.')``. For consistency with other model fields which don't
have a similar check, this check is removed.

Removed weak password hashers from the default ``PASSWORD_HASHERS`` setting
---------------------------------------------------------------------------

Django 0.90 stored passwords as unsalted MD5. Django 0.91 added support for
salted SHA1 with automatic upgrade of passwords when a user logs in. Django 1.4
added PBKDF2 as the default password hasher.

If you have an old Django project with MD5 or SHA1 (even salted) encoded
passwords, be aware that these can be cracked fairly easily with today's
hardware. To make Django users acknowledge continued use of weak hashers, the
following hashers are removed from the default :setting:`PASSWORD_HASHERS`
setting::

   'django.contrib.auth.hashers.SHA1PasswordHasher'
   'django.contrib.auth.hashers.MD5PasswordHasher'
   'django.contrib.auth.hashers.UnsaltedSHA1PasswordHasher'
   'django.contrib.auth.hashers.UnsaltedMD5PasswordHasher'
   'django.contrib.auth.hashers.CryptPasswordHasher'

Consider using a :ref:`wrapped password hasher <wrapping-password-hashers>` to
strengthen the hashes in your database. If that's not feasible, add the
:setting:`PASSWORD_HASHERS` setting to your project and add back any hashers
that you need.

You can check if your database has any of the removed hashers like this::

   from django.contrib.auth import get_user_model
   User = get_user_model()

    Unsalted MD5/SHA1:
   User.objects.filter(password__startswith='md5$$')
   User.objects.filter(password__startswith='sha1$$')
    Salted MD5/SHA1:
   User.objects.filter(password__startswith='md5$').exclude(password__startswith='md5$$')
   User.objects.filter(password__startswith='sha1$').exclude(password__startswith='sha1$$')
    Crypt hasher:
   User.objects.filter(password__startswith='crypt$$')

   from django.db.models import CharField
   from django.db.models.functions import Length
   CharField.register_lookup(Length)
    Unsalted MD5 passwords might not have an 'md5$$' prefix:
   User.objects.filter(password__length=32)

``Field.get_prep_lookup()`` and ``Field.get_db_prep_lookup()`` methods are removed
----------------------------------------------------------------------------------

If you have a custom field that implements either of these methods, register a
custom lookup for it. For example::

   from django.db.models import Field
   from django.db.models.lookups import Exact

   class MyField(Field):
       ...

   class MyFieldExact(Exact):
       def get_prep_lookup(self):
            do_custom_stuff_for_myfield
           ....

   MyField.register_lookup(MyFieldExact)

:mod:`django.contrib.gis`
-------------------------

* Support for SpatiaLite < 3.0 and GEOS < 3.3 is dropped.

* The ``add_postgis_srs()`` backwards compatibility alias for
 ``django.contrib.gis.utils.add_srs_entry()`` is removed.

* On Oracle/GIS, the :class:`~django.contrib.gis.db.models.functions.Area`
 aggregate function now returns a ``float`` instead of ``decimal.Decimal``.
 (It's still wrapped in a measure of square meters.)

* The default :class:`~django.contrib.gis.geos.GEOSGeometry` representation (WKT
 output) is trimmed by default. That is, instead of
 ``POINT (23.0000000000000000 5.5000000000000000)``, you'll get
 ``POINT (23 5.5)``.

Maximum size of a request body and the number of GET/POST parameters is limited
-------------------------------------------------------------------------------

Two new settings help mitigate denial-of-service attacks via large requests:

* :setting:`DATA_UPLOAD_MAX_MEMORY_SIZE` limits the size that a request body
 may be. File uploads don't count towards this limit.
* :setting:`DATA_UPLOAD_MAX_NUMBER_FIELDS` limits the number of GET/POST
 parameters that are parsed.

Applications that receive unusually large form posts may need to tune these
settings.

Miscellaneous
-------------

* The ``repr()`` of a ``QuerySet`` is wrapped in ``<QuerySet >`` to
 disambiguate it from a plain list when debugging.

* ``utils.version.get_version()`` returns :pep:`440` compliant release
 candidate versions (e.g. '1.10rc1' instead of '1.10c1').

* CSRF token values are now required to be strings of 64 alphanumerics; values
 of 32 alphanumerics, as set by older versions of Django by default, are
 automatically replaced by strings of 64 characters. Other values are
 considered invalid. This should only affect developers or users who replace
 these tokens.

* The ``LOGOUT_URL`` setting is removed as Django hasn't made use of it
 since pre-1.0. If you use it in your project, you can add it to your
 project's settings. The default value was ``'/accounts/logout/'``.

* Objects with a ``close()`` method such as files and generators passed to
 :class:`~django.http.HttpResponse` are now closed immediately instead of when
 the WSGI server calls ``close()`` on the response.

* A redundant ``transaction.atomic()`` call in ``QuerySet.update_or_create()``
 is removed. This may affect query counts tested by
 ``TransactionTestCase.assertNumQueries()``.

* Support for ``skip_validation`` in ``BaseCommand.execute(**options)`` is
 removed. Use ``skip_checks`` (added in Django 1.7) instead.

* :djadmin:`loaddata` now raises a ``CommandError`` instead of showing a
 warning when the specified fixture file is not found.

* Instead of directly accessing the ``LogEntry.change_message`` attribute, it's
 now better to call the ``LogEntry.get_change_message()`` method which will
 provide the message in the current language.

* The default error views now raise ``TemplateDoesNotExist`` if a nonexistent
 ``template_name`` is specified.

* The unused ``choices`` keyword argument of the ``Select`` and
 ``SelectMultiple`` widgets' ``render()`` method is removed. The ``choices``
 argument of the ``render_options()`` method is also removed, making
 ``selected_choices`` the first argument.

* Tests that violate deferrable database constraints will now error when run on
 a database that supports deferrable constraints.

* Built-in management commands now use indexing of keys in ``options``, e.g.
 ``options['verbosity']``, instead of ``options.get()`` and no longer perform
 any type coercion. This could be a problem if you're calling commands using
 ``Command.execute()`` (which bypasses the argument parser that sets a default
 value) instead of :func:`~django.core.management.call_command`. Instead of
 calling ``Command.execute()``, pass the command object as the first argument
 to ``call_command()``.

* :class:`~django.contrib.auth.backends.ModelBackend` and
 :class:`~django.contrib.auth.backends.RemoteUserBackend` now reject inactive
 users. This means that inactive users can't login and will be logged
 out if they are switched from ``is_active=True`` to ``False``. If you need
 the previous behavior, use the new
 :class:`~django.contrib.auth.backends.AllowAllUsersModelBackend` or
 :class:`~django.contrib.auth.backends.AllowAllUsersRemoteUserBackend`
 in :setting:`AUTHENTICATION_BACKENDS` instead.

* In light of the previous change, the test client's
 :meth:`~django.test.Client.login()` method no longer always rejects inactive
 users but instead delegates this decision to the authentication backend.
 :meth:`~django.test.Client.force_login()` also delegates the decision to the
 authentication backend, so if you're using the default backends, you need to
 use an active user.

* :func:`django.views.i18n.set_language` may now return a 204 status code for
 AJAX requests.

* The ``base_field`` attribute of
 :class:`~django.contrib.postgres.fields.RangeField` is now a type of field,
 not an instance of a field.  If you have created a custom subclass of
 :class:`~django.contrib.postgres.fields.RangeField`, you should change the
 ``base_field`` attribute.

* Middleware classes are now initialized when the server starts rather than
 during the first request.

* If you override ``is_authenticated()`` or ``is_anonymous()`` in a custom user
 model, you must convert them to attributes or properties as described in
 :ref:`the deprecation note <user-is-auth-anon-deprecation>`.

* When using :attr:`ModelAdmin.save_as=True
 <django.contrib.admin.ModelAdmin.save_as>`, the "Save as new" button now
 redirects to the change view for the new object instead of to the model's
 changelist. If you need the previous behavior, set the new
 :attr:`ModelAdmin.save_as_continue
 <django.contrib.admin.ModelAdmin.save_as_continue>` attribute to ``False``.

* Required form fields now have the ``required`` HTML attribute. Set the
 :attr:`Form.use_required_attribute <django.forms.Form.use_required_attribute>`
 attribute to ``False`` to disable it. You could also add the ``novalidate``
 attribute to ``<form>`` if you don't want browser validation. To disable
 the ``required`` attribute on custom widgets, override the
 :meth:`Widget.use_required_attribute() <django.forms.Widget.use_required_attribute>`
 method.

* The WSGI handler no longer removes content of responses from ``HEAD``
 requests or responses with a ``status_code`` of 100-199, 204, or 304. Most
 Web servers already implement this behavior. Responses retrieved using the
 Django test client continue to have these "response fixes" applied.

* ``Model.__init__()`` now receives ``django.db.models.DEFERRED`` as the value
 of deferred fields.

* The ``Model._deferred`` attribute is removed as dynamic model classes when
 using ``QuerySet.defer()`` and ``only()`` is removed.

* :meth:`Storage.save() <django.core.files.storage.Storage.save>` no longer
 replaces ``'\'`` with ``'/'``. This behavior is moved to
 :class:`~django.core.files.storage.FileSystemStorage` since this is a storage
 specific implementation detail. Any Windows user with a custom storage
 implementation that relies on this behavior will need to implement it in the
 custom storage's ``save()`` method.

* Private :class:`~django.db.models.FileField` methods ``get_directory_name()``
 and ``get_filename()`` are no longer called (and are now deprecated) which is
 a backwards incompatible change for users overriding those methods on custom
 fields. To adapt such code, override ``FileField.generate_filename()`` or
 :meth:`Storage.generate_filename()
 <django.core.files.storage.Storage.generate_filename>` instead. It
 might be possible to use :attr:`~django.db.models.FileField.upload_to` also.

* The subject of mail sent by ``AdminEmailHandler`` is no longer truncated at
 989 characters. If you were counting on a limited length, truncate the subject
 yourself.

* Private expressions ``django.db.models.expressions.Date`` and ``DateTime``
 are removed. The new :class:`~django.db.models.functions.datetime.Trunc`
 expressions provide the same functionality.

* The ``_base_manager`` and ``_default_manager`` attributes are removed from
 model instances. They remain accessible on the model class.

* Accessing a deleted field on a model instance, e.g. after ``del obj.field``,
 reloads the field's value instead of raising ``AttributeError``.

* If you subclass ``AbstractBaseUser`` and override ``clean()``, be sure it
 calls ``super()``. :meth:`.AbstractBaseUser.normalize_username` is called in
 a new :meth:`.AbstractBaseUser.clean` method.

* Private API ``django.forms.models.model_to_dict()`` returns a queryset rather
 than a list of primary keys for ``ManyToManyField``\s .

* If ``django.contrib.staticfiles`` is
 installed, the :ttag:`static`  template tag uses the ``staticfiles`` storage
 to construct the URL rather than simply joining the value with
 ``STATIC_ROOT``. The new approach encodes the URL, which could be
 backwards-incompatible in cases such as including a fragment in a path, e.g.
 ``{% static 'img.svgfragment' %}``, since the ```` is encoded as ``%23``.
 To adapt, move the fragment outside the template tag:
 ``{% static 'img.svg' %}fragment``.

* When :setting:`USE_L10N` is ``True``, localization is now applied for the
 :tfilter:`date` and :tfilter:`time` filters when no format string is
 specified. The ``DATE_FORMAT`` and ``TIME_FORMAT`` specifiers from the active
 locale are used instead of the settings of the same name.

.. _deprecated-features-1.10:

Features deprecated in 1.10
===========================

Direct assignment to a reverse foreign key or many-to-many relation
-------------------------------------------------------------------

Instead of assigning related objects using direct assignment::

   >>> new_list = [obj1, obj2, obj3]
   >>> e.related_set = new_list

Use the :meth:`~django.db.models.fields.related.RelatedManager.set` method
added in Django 1.9::

       >>> e.related_set.set([obj1, obj2, obj3])

This prevents confusion about an assignment resulting in an implicit save.

Non-timezone-aware :class:`~django.core.files.storage.Storage` API
------------------------------------------------------------------

The old, non-timezone-aware methods ``accessed_time()``, ``created_time()``,
and ``modified_time()`` are deprecated in favor of the new ``get_*_time()``
methods.

Third-party storage backends should implement the new methods and mark the old
ones as deprecated. Until then, the new ``get_*_time()`` methods on the base
:class:`~django.core.files.storage.Storage` class convert ``datetime``\s from
the old methods as required and emit a deprecation warning as they do so.

Third-party storage backends may retain the old methods as long as they
wish to support earlier versions of Django.

:mod:`django.contrib.gis`
-------------------------

* The ``get_srid()`` and ``set_srid()`` methods of
 :class:`~django.contrib.gis.geos.GEOSGeometry` are deprecated in favor
 of the :attr:`~django.contrib.gis.geos.GEOSGeometry.srid` property.

* The ``get_x()``, ``set_x()``, ``get_y()``, ``set_y()``, ``get_z()``, and
 ``set_z()`` methods of :class:`~django.contrib.gis.geos.Point` are deprecated
 in favor of the ``x``, ``y``, and ``z`` properties.

* The ``get_coords()`` and ``set_coords()`` methods of
 :class:`~django.contrib.gis.geos.Point` are deprecated in favor of the
 ``tuple`` property.

* The ``cascaded_union`` property of
 :class:`~django.contrib.gis.geos.MultiPolygon` is deprecated in favor of the
 :attr:`~django.contrib.gis.geos.GEOSGeometry.unary_union` property.

* The ``django.contrib.gis.utils.precision_wkt()`` function is deprecated in
 favor of :class:`~django.contrib.gis.geos.WKTWriter`.

``CommaSeparatedIntegerField`` model field
------------------------------------------

``CommaSeparatedIntegerField`` is deprecated in favor of
:class:`~django.db.models.CharField` with the
:func:`~django.core.validators.validate_comma_separated_integer_list`
validator::

   from django.core.validators import validate_comma_separated_integer_list
   from django.db import models

   class MyModel(models.Model):
       numbers = models.CharField(..., validators=[validate_comma_separated_integer_list])

If you're using Oracle, ``CharField`` uses a different database field  type
(``NVARCHAR2``) than ``CommaSeparatedIntegerField`` (``VARCHAR2``). Depending
on your database settings, this might imply a different encoding, and thus a
different length (in bytes) for the same contents. If your stored values are
longer than the 4000 byte limit of ``NVARCHAR2``, you should use ``TextField``
(``NCLOB``) instead. In this case, if you have any queries that group by the
field (e.g. annotating the model with an aggregation or using ``distinct()``)
you'll need to change them (to defer the field).

Using a model name as a query lookup when ``default_related_name`` is set
-------------------------------------------------------------------------

Assume the following models::

   from django.db import models

   class Foo(models.Model):
       pass

   class Bar(models.Model):
       foo = models.ForeignKey(Foo)

       class Meta:
           default_related_name = 'bars'

In older versions, :attr:`~django.db.models.Options.default_related_name`
couldn't be used as a query lookup. This is fixed and support for the old
lookup name is deprecated. For example, since ``default_related_name`` is set
in model ``Bar``, instead of using the model name ``bar`` as the lookup::

   >>> bar = Bar.objects.get(pk=1)
   >>> Foo.objects.get(bar=bar)

use the default_related_name ``bars``::

   >>> Foo.objects.get(bars=bar)

.. _search-lookup-replacement:

``__search`` query lookup
-------------------------

The ``search`` lookup, which supports MySQL only and is extremely limited in
features, is deprecated. Replace it with a custom lookup::

   from django.db import models

   class Search(models.Lookup):
       lookup_name = 'search'

       def as_mysql(self, compiler, connection):
           lhs, lhs_params = self.process_lhs(compiler, connection)
           rhs, rhs_params = self.process_rhs(compiler, connection)
           params = lhs_params + rhs_params
           return 'MATCH (%s) AGAINST (%s IN BOOLEAN MODE)' % (lhs, rhs), params

   models.CharField.register_lookup(Search)
   models.TextField.register_lookup(Search)

.. _user-is-auth-anon-deprecation:

Using ``User.is_authenticated()`` and ``User.is_anonymous()`` as methods
------------------------------------------------------------------------

The ``is_authenticated()`` and ``is_anonymous()`` methods of
:class:`~django.contrib.auth.models.AbstractBaseUser` and
:class:`~django.contrib.auth.models.AnonymousUser` classes are now
properties. They will still work as methods until Django 2.0, but all usage
in Django now uses attribute access.

For example, if you use
:class:`~django.contrib.auth.middleware.AuthenticationMiddleware` and want
to know whether the user is currently logged-in you would use::

   if request.user.is_authenticated:
       ...  Do something for logged-in users.
   else:
       ...  Do something for anonymous users.

instead of ``request.user.is_authenticated()``.

This change avoids accidental information leakage if you forget to call the
method, e.g.::

   if request.user.is_authenticated:
       return sensitive_information

If you override these methods in a custom user model, you must change them to
properties or attributes.

Django uses a ``CallableBool`` object to allow these attributes to work as both
a property and a method. Thus, until the deprecation period ends, you cannot
compare these properties using the ``is`` operator. That is, the following
won't work::

   if request.user.is_authenticated is True:
       ...

Custom manager classes available through ``prefetch_related`` must define a ``_apply_rel_filters()`` method
-----------------------------------------------------------------------------------------------------------

If you defined a custom manager class available through
:meth:`~django.db.models.query.QuerySet.prefetch_related` you must make sure
it defines a ``_apply_rel_filters()`` method.

This method must accept a :class:`~django.db.models.query.QuerySet` instance
as its single argument and return a filtered version of the queryset for the
model instance the manager is bound to.

The "escape" half of ``django.utils.safestring``
------------------------------------------------

The ``mark_for_escaping()`` function and the classes it uses: ``EscapeData``,
``EscapeBytes``, ``EscapeText``, ``EscapeString``, and ``EscapeUnicode`` are
deprecated.

As a result, the "lazy" behavior of the ``escape`` filter (where it would
always be applied as the last filter no matter where in the filter chain it
appeared) is deprecated. The filter will change to immediately apply
:func:`~django.utils.html.conditional_escape` in Django 2.0.

``Manager.use_for_related_fields`` and inheritance changes
----------------------------------------------------------

``Manager.use_for_related_fields`` is deprecated in favor of setting
:attr:`Meta.base_manager_name <django.db.models.Options.base_manager_name>` on
the model.

Model ``Manager`` inheritance will follow MRO inheritance rules in Django 2.0,
changing the current behavior where managers defined on non-abstract base
classes aren't inherited by child classes. A deprecating warning with
instructions on how to adapt your code is raised if you have any affected
managers. You'll either redeclare a manager from an abstract model on the child
class to override the manager from the concrete model, or you'll set the
model's ``Meta.manager_inheritance_from_future=True`` option to opt-in to the
new inheritance behavior.

During the deprecation period, ``use_for_related_fields`` will be honored and
raise a warning, even if a ``base_manager_name`` is set. This allows
third-party code to preserve legacy behavior while transitioning to the new
API. The warning can be silenced by setting
``silence_use_for_related_fields_deprecation=True`` on the manager.

Miscellaneous
-------------

* The ``makemigrations --exit`` option is deprecated in favor of the
 :option:`makemigrations --check` option.

* ``django.utils.functional.allow_lazy()`` is deprecated in favor of the new
 :func:`~django.utils.functional.keep_lazy` function which can be used with a
 more natural decorator syntax.

* The ``shell --plain`` option is deprecated in favor of ``-i python`` or
 ``--interface python``.

* Importing from the ``django.core.urlresolvers`` module is deprecated in
 favor of its new location, :mod:`django.urls`.

* The template ``Context.has_key()`` method is deprecated in favor of ``in``.

* The private attribute ``virtual_fields`` of ``Model._meta`` is
 deprecated in favor of ``private_fields``.

* The private keyword arguments ``virtual_only`` in
 ``Field.contribute_to_class()`` and ``virtual`` in
 ``Model._meta.add_field()`` are deprecated in favor of ``private_only``
 and ``private``, respectively.

* The ``javascript_catalog()`` and ``json_catalog()`` views are deprecated in
 favor of class-based views :class:`~django.views.i18n.JavaScriptCatalog`
 and :class:`~django.views.i18n.JSONCatalog`.

* In multi-table inheritance, implicit promotion of a ``OneToOneField`` to a
 ``parent_link`` is deprecated. Add ``parent_link=True`` to such fields.

* The private API ``Widget._format_value()`` is made public and renamed to
 :meth:`~django.forms.Widget.format_value`. The old name will work
 through a deprecation period.

* Private ``FileField`` methods ``get_directory_name()`` and ``get_filename()``
 are deprecated in favor of performing this work in
 :meth:`Storage.generate_filename()
 <django.core.files.storage.Storage.generate_filename>`).

* Old-style middleware that uses  ``settings.MIDDLEWARE_CLASSES`` are
 deprecated. :ref:`Adapt old, custom middleware <upgrading-middleware>` and
 use the new :setting:`MIDDLEWARE` setting.

.. _removed-features-1.10:

Features removed in 1.10
========================

These features have reached the end of their deprecation cycle and are removed
in Django 1.10. See :ref:`deprecated-features-1.8` for details, including how
to remove usage of these features.

* Support for calling a ``SQLCompiler`` directly as an alias for calling its
 ``quote_name_unless_alias`` method is removed.

* The ``cycle`` and ``firstof`` template tags are removed from the ``future``
 template tag library.

* ``django.conf.urls.patterns()`` is removed.

* Support for the ``prefix`` argument to
 ``django.conf.urls.i18n.i18n_patterns()`` is removed.

* ``SimpleTestCase.urls`` is removed.

* Using an incorrect count of unpacked values in the ``for`` template tag
 raises an exception rather than failing silently.

* The ability to :func:`~django.urls.reverse` URLs using a dotted Python path
 is removed.

* The ability to use a dotted Python path for the ``LOGIN_URL`` and
 ``LOGIN_REDIRECT_URL`` settings is removed.

* Support for ``optparse`` is dropped for custom management commands.

* The class ``django.core.management.NoArgsCommand`` is removed.

* ``django.core.context_processors``
lock[bot] commented 6 years ago

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.