Removed an incorrect deprecation warning about a missing renderer
argument if a Widget.render() method accepts **kwargs
(:ticket:28265).
Fixed a regression causing Model.__init__() to crash if a field has an
instance only descriptor (:ticket:28269).
Fixed an incorrect DisallowedModelAdminLookup exception when using
a nested reverse relation in list_filter (:ticket:28262).
Fixed admin's FieldListFilter.get_queryset() crash on invalid input
(:ticket:28202).
Fixed invalid HTML for a required AdminFileWidget (:ticket:28278).
Fixed model initialization to set the name of class-based model indexes
for models that only inherit models.Model (:ticket:28282).
Fixed crash in admin's inlines when a model has an inherited non-editable
primary key (:ticket:27967).
Fixed QuerySet.union(), intersection(), and difference() when
combining with an EmptyQuerySet (:ticket:28293).
Prevented Paginator’s unordered object list warning from evaluating a
QuerySet (:ticket:28284).
Fixed the value of redirect_field_name in LoginView’s template
context. It's now an empty string (as it is for the original function-based
login() view) if the corresponding parameter isn't sent in a request (in
particular, when the login page is accessed directly) (:ticket:28229).
Prevented attribute values in the django/forms/widgets/attrs.html
template from being localized so that numeric attributes (e.g. max and
min) of NumberInput work correctly (:ticket:28303).
Removed casting of the option value to a string in the template context of
the CheckboxSelectMultiple, NullBooleanSelect, RadioSelect,
SelectMultiple, and Select widgets (:ticket:28176). In Django
1.11.1, casting was added in Python to avoid localization of numeric values
in Django templates, but this made some use cases more difficult. Casting is
now done in the template using the |stringformat:'s' filter.
Prevented a primary key alteration from adding a foreign key constraint if
db_constraint=False (:ticket:28298).
Fixed UnboundLocalError crash in RenameField with nonexistent field
(:ticket:28350).
Fixed a regression preventing a model field's limit_choices_to from being
evaluated when a ModelForm is instantiated (:ticket:28345).
===========================
1.11.2
===========================
June 1, 2017
Django 1.11.2 adds a minor feature and fixes several bugs in 1.11.1. Also, the
latest string translations from Transifex are incorporated.
Minor feature
The new LiveServerTestCase.port attribute reallows the use case of binding
to a specific port following the :ref:bind to port zero <liveservertestcase-port-zero-change> change in Django 1.11.
Bugfixes
Added detection for GDAL 2.1 and 2.0, and removed detection for unsupported
versions 1.7 and 1.8 (:ticket:28181).
Changed contrib.gis to raise ImproperlyConfigured rather than
GDALException if gdal isn't installed, to allow third-party apps to
catch that exception (:ticket:28178).
Fixed django.utils.http.is_safe_url() crash on invalid IPv6 URLs
(:ticket:28142).
Fixed regression causing pickling of model fields to crash (:ticket:28188).
Fixed django.contrib.auth.authenticate() when multiple authentication
backends don't accept a positional request argument (:ticket:28207).
Fixed introspection of index field ordering on PostgreSQL (:ticket:28197).
Fixed a regression where Model._state.adding wasn't set correctly on
multi-table inheritance parent models after saving a child model
(:ticket:28210).
Allowed DjangoJSONEncoder to serialize
django.utils.deprecation.CallableBool (:ticket:28230).
Relaxed the validation added in Django 1.11 of the fields in the defaults
argument of QuerySet.get_or_create() and update_or_create() to
reallow settable model properties (:ticket:28222).
Fixed MultipleObjectMixin.paginate_queryset() crash on Python 2 if the
InvalidPage message contains non-ASCII (:ticket:28204).
Prevented Subquery from adding an unnecessary CAST which resulted in
invalid SQL (:ticket:28199).
Corrected detection of GDAL 2.1 on Windows (:ticket:28181).
Made date-based generic views return a 404 rather than crash when given an
out of range date (:ticket:28209).
Fixed a regression where file_move_safe() crashed when moving files to a
CIFS mount (:ticket:28170).
Moved the ImageField file extension validation added in Django 1.11 from
the model field to the form field to reallow the use case of storing images
without an extension (:ticket:28242).
===========================
1.11.1
===========================
May 6, 2017
Django 1.11.1 adds a minor feature and fixes several bugs in 1.11.
Allowed disabling server-side cursors on PostgreSQL
The change in Django 1.11 to make :meth:.QuerySet.iterator() use server-side
cursors on PostgreSQL prevents running Django with pgBouncer in transaction
pooling mode. To reallow that, use the :setting:DISABLE_SERVER_SIDE_CURSORS <DATABASE-DISABLE_SERVER_SIDE_CURSORS> setting in :setting:DATABASES.
See :ref:transaction-pooling-server-side-cursors for more discussion.
Bugfixes
Made migrations respect Index’s name argument. If you created a
named index with Django 1.11, makemigrations will create a migration to
recreate the index with the correct name (:ticket:28051).
Fixed a crash when using a __icontains lookup on a ArrayField
(:ticket:28038).
Fixed a crash when using a two-tuple in EmailMessage’s attachments
argument (:ticket:28042).
Fixed QuerySet.filter() crash when it references the name of a
OneToOneField primary key (:ticket:28047).
Fixed empty POST data table appearing instead of "No POST data" in HTML debug
page (:ticket:28079).
Restored BoundField\s without any choices evaluating to True
(:ticket:28058).
Prevented SessionBase.cycle_key() from losing session data if
_session_cache isn't populated (:ticket:28066).
Fixed layout of ReadOnlyPasswordHashWidget (used in the admin's user
change page) (:ticket:28097).
Allowed prefetch calls on managers with custom ModelIterable subclasses
(:ticket:28096).
Fixed change password link in the contrib.auth admin for el,
es_MX, and pt translations (:ticket:28100).
Restored the output of the class attribute in the <ul> of widgets
that use the multiple_input.html template. This fixes
ModelAdmin.radio_fields with admin.HORIZONTAL (:ticket:28059).
Fixed crash in BaseGeometryWidget.subwidgets() (:ticket:28039).
Fixed exception reraising in ORM query execution when cursor.execute()
fails and the subsequent cursor.close() also fails (:ticket:28091).
Fixed a regression where CheckboxSelectMultiple, NullBooleanSelect,
RadioSelect, SelectMultiple, and Select localized option values
(:ticket:28075).
Corrected the stack level of unordered queryset pagination warnings
(:ticket:28109).
Fixed a regression causing incorrect queries for __in subquery lookups
when models use ForeignKey.to_field (:ticket:28101).
Fixed crash when overriding the template of
django.views.static.directory_index() (:ticket:28122).
Fixed a regression in formset min_num validation with unchanged forms
that have initial data (:ticket:28130).
Prepared for cx_Oracle 6.0 support (:ticket:28138).
Updated the contrib.postgresSplitArrayWidget to use template-based
widget rendering (:ticket:28040).
Fixed crash in BaseGeometryWidget.get_context() when overriding existing
attrs (:ticket:28105).
Prevented AddIndex and RemoveIndex from mutating model state
(:ticket:28043).
Prevented migrations from dropping database indexes from Meta.indexes
when changing Field.db_index to False (:ticket:28052).
Fixed a regression in choice ordering in form fields with grouped and
non-grouped options (:ticket:28157).
Fixed crash in BaseInlineFormSet._construct_form() when using
save_as_new (:ticket:28159).
Fixed a regression where Model._state.db wasn't set correctly on
multi-table inheritance parent models after saving a child model
(:ticket:28166).
Corrected the return type of ArrayField(CITextField()) values retrieved
from the database (:ticket:28161).
Fixed QuerySet.prefetch_related() crash when fetching relations in nested
Prefetch objects (:ticket:27554).
Prevented hiding GDAL errors if it's not installed when using contrib.gis
(:ticket:28160). (It's a required dependency as of Django 1.11.)
Fixed a regression causing __in lookups on a foreign key to fail when
using the foreign key's parent model as the lookup value (:ticket:28175).
=========================
1.11
=========================
April 4, 2017
Welcome to Django 1.11!
These release notes cover the :ref:new features <whats-new-1.11>, as well as
some :ref:backwards incompatible changes <backwards-incompatible-1.11> you'll
want to be aware of when upgrading from Django 1.10 or older versions. We've
:ref:begun the deprecation process for some features <deprecated-features-1.11>.
See the :doc:/howto/upgrade-version guide if you're updating an existing
project.
Django 1.11 is designated as a :term:long-term support release. It will
receive security updates for at least three years after its release. Support
for the previous LTS, Django 1.8, will end in April 2018.
Python compatibility
Django 1.11 requires Python 2.7, 3.4, 3.5, or 3.6. Django 1.11 is the first
release to support Python 3.6. We highly recommend and only officially
support the latest release of each series.
The Django 1.11.x series is the last to support Python 2. The next major
release, Django 2.0, will only support Python 3.5+.
Deprecating warnings are no longer loud by default
Unlike older versions of Django, Django's own deprecation warnings are no
longer displayed by default. This is consistent with Python's default behavior.
This change allows third-party apps to support both Django 1.11 LTS and Django
1.8 LTS without having to add code to avoid deprecation warnings.
Following the release of Django 2.0, we suggest that third-party app authors
drop support for all versions of Django prior to 1.11. At that time, you should
be able run your package's tests using python -Wd so that deprecation
warnings do appear. After making the deprecation warning fixes, your app should
be compatible with Django 2.0.
.. _whats-new-1.11:
What's new in Django 1.11
Class-based model indexes
The new :mod:django.db.models.indexes module contains classes which ease
creating database indexes. Indexes are added to models using the
:attr:Meta.indexes <django.db.models.Options.indexes> option.
The :class:~django.db.models.Index class creates a b-tree index, as if you
used :attr:~django.db.models.Field.db_index on the model field or
:attr:~django.db.models.Options.index_together on the model Meta class.
It can be subclassed to support different index types, such as
:class:~django.contrib.postgres.indexes.GinIndex. It also allows defining the
order (ASC/DESC) for the columns of the index.
Template-based widget rendering
To ease customizing widgets, form widget rendering is now done using the
template system rather than in Python. See :doc:/ref/forms/renderers.
You may need to adjust any custom widgets that you've written for a few
:ref:backwards incompatible changes <template-widget-incompatibilities-1-11>.
Subquery expressions
The new :class:~django.db.models.Subquery and
:class:~django.db.models.Exists database expressions allow creating
explicit subqueries. Subqueries may refer to fields from the outer queryset
using the :class:~django.db.models.OuterRef class.
Minor features
:mod:django.contrib.admin
* :attr:`.ModelAdmin.date_hierarchy` can now reference fields across relations.
* The new :meth:`ModelAdmin.get_exclude()
<django.contrib.admin.ModelAdmin.get_exclude>` hook allows specifying the
exclude fields based on the request or model instance.
* The ``popup_response.html`` template can now be overridden per app, per
model, or by setting the :attr:`.ModelAdmin.popup_response_template`
attribute.
:mod:`django.contrib.auth`
The default iteration count for the PBKDF2 password hasher is increased by
20%.
The :class:~django.contrib.auth.views.LoginView and
:class:~django.contrib.auth.views.LogoutView class-based views supersede the
deprecated login() and logout() function-based views.
The :class:~django.contrib.auth.views.PasswordChangeView,
:class:~django.contrib.auth.views.PasswordChangeDoneView,
:class:~django.contrib.auth.views.PasswordResetView,
:class:~django.contrib.auth.views.PasswordResetDoneView,
:class:~django.contrib.auth.views.PasswordResetConfirmView, and
:class:~django.contrib.auth.views.PasswordResetCompleteView class-based
views supersede the deprecated password_change(),
password_change_done(), password_reset(), password_reset_done(),
password_reset_confirm(), and password_reset_complete() function-based
views.
The new post_reset_login attribute for
:class:~django.contrib.auth.views.PasswordResetConfirmView allows
automatically logging in a user after a successful password reset.
If you have multiple AUTHENTICATION_BACKENDS configured, use the
post_reset_login_backend attribute to choose which one to use.
To avoid the possibility of leaking a password reset token via the HTTP
Referer header (for example, if the reset page includes a reference to CSS or
JavaScript hosted on another domain), the
:class:~django.contrib.auth.views.PasswordResetConfirmView (but not the
deprecated password_reset_confirm() function-based view) stores the token
in a session and redirects to itself to present the password change form to
the user without the token in the URL.
:func:~django.contrib.auth.update_session_auth_hash now rotates the session
key to allow a password change to invalidate stolen session cookies.
The new success_url_allowed_hosts attribute for
:class:~django.contrib.auth.views.LoginView and
:class:~django.contrib.auth.views.LogoutView allows specifying a set of
hosts that are safe for redirecting after login and logout.
Added password validators help_text to
:class:~django.contrib.auth.forms.UserCreationForm.
The HttpRequest is now passed to :func:~django.contrib.auth.authenticate
which in turn passes it to the authentication backend if it accepts a
request argument.
The :func:~django.contrib.auth.signals.user_login_failed signal now
receives a request argument.
:class:~django.contrib.auth.forms.PasswordResetForm supports custom user
models that use an email field named something other than 'email'.
Set :attr:CustomUser.EMAIL_FIELD <django.contrib.auth.models.CustomUser.EMAIL_FIELD> to the name of the field.
:func:~django.contrib.auth.get_user_model can now be called at import time,
even in modules that define models.
:mod:django.contrib.contenttypes
* When stale content types are detected in the
:djadmin:`remove_stale_contenttypes` command, there's now a list of related
objects such as ``auth.Permission``\s that will also be deleted. Previously,
only the content types were listed (and this prompt was after ``migrate``
rather than in a separate command).
:mod:`django.contrib.gis`
The new :meth:.GEOSGeometry.from_gml and :meth:.OGRGeometry.from_gml
methods allow creating geometries from GML.
Added support for the :lookup:dwithin lookup on SpatiaLite.
The :class:~django.contrib.gis.db.models.functions.Area function,
:class:~django.contrib.gis.db.models.functions.Distance function, and
distance lookups now work with geodetic coordinates on SpatiaLite.
The OpenLayers-based form widgets now use OpenLayers.js from
https://cdnjs.cloudflare.com which is more suitable for production use
than the the old http://openlayers.org source. They are also updated to
use OpenLayers 3.
PostGIS migrations can now change field dimensions.
Added the ability to pass the size, shape, and offset parameter when
creating :class:~django.contrib.gis.gdal.GDALRaster objects.
Added SpatiaLite support for the
:class:~django.contrib.gis.db.models.functions.IsValid function,
:class:~django.contrib.gis.db.models.functions.MakeValid function, and
:lookup:isvalid lookup.
Added Oracle support for the
:class:~django.contrib.gis.db.models.functions.AsGML function,
:class:~django.contrib.gis.db.models.functions.BoundingCircle function,
:class:~django.contrib.gis.db.models.functions.IsValid function, and
:lookup:isvalid lookup.
:mod:django.contrib.postgres
* The new ``distinct`` argument for
:class:`~django.contrib.postgres.aggregates.StringAgg` determines if
concatenated values will be distinct.
* The new :class:`~django.contrib.postgres.indexes.GinIndex` and
:class:`~django.contrib.postgres.indexes.BrinIndex` classes allow
creating ``GIN`` and ``BRIN`` indexes in the database.
* :class:`~django.contrib.postgres.fields.JSONField` accepts a new ``encoder``
parameter to specify a custom class to encode data types not supported by the
standard encoder.
* The new :class:`~django.contrib.postgres.fields.CIText` mixin and
:class:`~django.contrib.postgres.operations.CITextExtension` migration
operation allow using PostgreSQL's ``citext`` extension for case-insensitive
lookups. Three fields are provided: :class:`.CICharField`,
:class:`.CIEmailField`, and :class:`.CITextField`.
* The new :class:`~django.contrib.postgres.aggregates.JSONBAgg` allows
aggregating values as a JSON array.
* The :class:`~django.contrib.postgres.fields.HStoreField` (model field) and
:class:`~django.contrib.postgres.forms.HStoreField` (form field) allow
storing null values.
Cache
Memcached backends now pass the contents of :setting:OPTIONS <CACHES-OPTIONS>
as keyword arguments to the client constructors, allowing for more advanced
control of client behavior. See the :ref:cache arguments <cache_arguments>
documentation for examples.
Memcached backends now allow defining multiple servers as a comma-delimited
string in :setting:LOCATION <CACHES-LOCATION>, for convenience with
third-party services that use such strings in environment variables.
CSRF
* Added the :setting:`CSRF_USE_SESSIONS` setting to allow storing the CSRF
token in the user's session rather than in a cookie.
Database backends
Added the skip_locked argument to :meth:.QuerySet.select_for_update()
on PostgreSQL 9.5+ and Oracle to execute queries with
FOR UPDATE SKIP LOCKED.
Added the :setting:TEST['TEMPLATE'] <TEST_TEMPLATE> setting to let
PostgreSQL users specify a template for creating the test database.
:meth:.QuerySet.iterator() now uses :ref:server-side cursors <psycopg2:server-side-cursors> on PostgreSQL. This feature transfers some of
the worker memory load (used to hold query results) to the database and might
increase database memory usage.
Added MySQL support for the 'isolation_level' option in
:setting:OPTIONS to allow specifying the :ref:transaction isolation level <mysql-isolation-level>. To avoid possible data loss, it's recommended to
switch from MySQL's default level, repeatable read, to read committed.
Added support for cx_Oracle 5.3.
Email
* Added the :setting:`EMAIL_USE_LOCALTIME` setting to allow sending SMTP date
headers in the local time zone rather than in UTC.
* ``EmailMessage.attach()`` and ``attach_file()`` now fall back to MIME type
``application/octet-stream`` when binary content that can't be decoded as
UTF-8 is specified for a ``text/*`` attachment.
File Storage
To make it wrappable by :class:io.TextIOWrapper,
:class:~django.core.files.File now has the readable(), writable(),
and seekable() methods.
Forms
* The new :attr:`CharField.empty_value <django.forms.CharField.empty_value>`
attribute allows specifying the Python value to use to represent "empty".
* The new :meth:`Form.get_initial_for_field()
<django.forms.Form.get_initial_for_field>` method returns initial data for a
form field.
Internationalization
Number formatting and the :setting:NUMBER_GROUPING setting support
non-uniform digit grouping.
Management Commands
* The new :option:`loaddata --exclude` option allows excluding models and apps
while loading data from fixtures.
* The new :option:`diffsettings --default` option allows specifying a settings
module other than Django's default settings to compare against.
* ``app_label``\s arguments now limit the :option:`showmigrations --plan`
output.
Migrations
Added support for serialization of uuid.UUID objects.
Models
* Added support for callable values in the ``defaults`` argument of
:meth:`QuerySet.update_or_create()
<django.db.models.query.QuerySet.update_or_create>` and
:meth:`~django.db.models.query.QuerySet.get_or_create`.
* :class:`~django.db.models.ImageField` now has a default
:data:`~django.core.validators.validate_image_file_extension` validator.
(This validator moved to the form field in :doc:`Django 1.11.2 <1.11.2>`.)
* Added support for time truncation to
:class:`~django.db.models.functions.datetime.Trunc` functions.
* Added the :class:`~django.db.models.functions.datetime.ExtractWeek` function
to extract the week from :class:`~django.db.models.DateField` and
:class:`~django.db.models.DateTimeField` and exposed it through the
:lookup:`week` lookup.
* Added the :class:`~django.db.models.functions.datetime.TruncTime` function
to truncate :class:`~django.db.models.DateTimeField` to its time component
and exposed it through the :lookup:`time` lookup.
* Added support for expressions in :meth:`.QuerySet.values` and
:meth:`~.QuerySet.values_list`.
* Added support for query expressions on lookups that take multiple arguments,
such as ``range``.
* You can now use the ``unique=True`` option with
:class:`~django.db.models.FileField`.
* Added the ``nulls_first`` and ``nulls_last`` parameters to
:class:`Expression.asc() <django.db.models.Expression.asc>` and
:meth:`~django.db.models.Expression.desc` to control
the ordering of null values.
* The new ``F`` expression ``bitleftshift()`` and ``bitrightshift()`` methods
allow :ref:`bitwise shift operations <using-f-expressions-in-filters>`.
* Added :meth:`.QuerySet.union`, :meth:`~.QuerySet.intersection`, and
:meth:`~.QuerySet.difference`.
Requests and Responses
:class:~django.middleware.common.CommonMiddleware now sets the
Content-Length response header for non-streaming responses.
Added the :setting:SECURE_HSTS_PRELOAD setting to allow appending the
preload directive to the Strict-Transport-Security header.
:class:~django.middleware.http.ConditionalGetMiddleware now adds the
ETag header to responses.
Serialization
* The new ``django.core.serializers.base.Serializer.stream_class`` attribute
allows subclasses to customize the default stream.
* The encoder used by the :ref:`JSON serializer <serialization-formats-json>`
can now be customized by passing a ``cls`` keyword argument to the
``serializers.serialize()`` function.
* :class:`~django.core.serializers.json.DjangoJSONEncoder` now serializes
:class:`~datetime.timedelta` objects (used by
:class:`~django.db.models.DurationField`).
Templates
:meth:~django.utils.safestring.mark_safe can now be used as a decorator.
The :class:~django.template.backends.jinja2.Jinja2 template backend now
supports context processors by setting the 'context_processors' option in
:setting:OPTIONS <TEMPLATES-OPTIONS>.
The :ttag:regroup tag now returns namedtuple\s instead of dictionaries
so you can unpack the group object directly in a loop, e.g.
{% for grouper, list in regrouped %}.
Added a :ttag:resetcycle template tag to allow resetting the sequence of
the :ttag:cycle template tag.
You can now specify specific directories for a particular
:class:filesystem.Loader <django.template.loaders.filesystem.Loader>.
Tests
* Added :meth:`.DiscoverRunner.get_test_runner_kwargs` to allow customizing the
keyword arguments passed to the test runner.
* Added the :option:`test --debug-mode` option to help troubleshoot test
failures by setting the :setting:`DEBUG` setting to ``True``.
* The new :func:`django.test.utils.setup_databases` (moved from
``django.test.runner``) and :func:`~django.test.utils.teardown_databases`
functions make it easier to build custom test runners.
* Added support for :meth:`python:unittest.TestCase.subTest`’s when using the
:option:`test --parallel` option.
* ``DiscoverRunner`` now runs the system checks at the start of a test run.
Override the :meth:`.DiscoverRunner.run_checks` method if you want to disable
that.
Validators
Added :class:~django.core.validators.FileExtensionValidator to validate
file extensions and
:data:~django.core.validators.validate_image_file_extension to validate
image files.
.. _backwards-incompatible-1.11:
Backwards incompatible changes in 1.11
:mod:django.contrib.gis
To simplify the codebase and because it's easier to install than when
contrib.gis was first released, :ref:gdalbuild is now a required
dependency for GeoDjango. In older versions, it's only required for SQLite.
contrib.gis.maps is removed as it interfaces with a retired version of
the Google Maps API and seems to be unmaintained. If you're using it, let us know <https://code.djangoproject.com/ticket/14284>_.
The GEOSGeometry equality operator now also compares SRID.
The OpenLayers-based form widgets now use OpenLayers 3, and the
gis/openlayers.html and gis/openlayers-osm.html templates have been
updated. Check your project if you subclass these widgets or extend the
templates. Also, the new widgets work a bit differently than the old ones.
Instead of using a toolbar in the widget, you click to draw, click and drag
to move the map, and click and drag a point/vertex/corner to move it.
Support for SpatiaLite < 4.0 is dropped.
Support for GDAL 1.7 and 1.8 is dropped.
The widgets in contrib.gis.forms.widgets and the admin's
OpenLayersWidget use the :doc:form rendering API </ref/forms/renderers>
rather than loader.render_to_string(). If you're using a custom widget
template, you'll need to be sure your form renderer can locate it. For
example, you could use the :class:~django.forms.renderers.TemplatesSetting
renderer.
:mod:django.contrib.staticfiles
collectstatic may now fail during post-processing when using a hashed
static files storage if a reference loop exists (e.g. 'foo.css'
references 'bar.css' which itself references 'foo.css') or if the
chain of files referencing other files is too deep to resolve in several
passes. In the latter case, increase the number of passes using
:attr:.ManifestStaticFilesStorage.max_post_process_passes.
When using ManifestStaticFilesStorage, static files not found in the
manifest at runtime now raise a ValueError instead of returning an
unchanged path. You can revert to the old behavior by setting
:attr:.ManifestStaticFilesStorage.manifest_strict to False.
Database backend API
This section describes changes that may be needed in third-party database
backends.
The DatabaseOperations.time_trunc_sql() method is added to support
TimeField truncation. It accepts a lookup_type and field_name
arguments and returns the appropriate SQL to truncate the given time field
field_name to a time object with only the given specificity. The
lookup_type argument can be either 'hour', 'minute', or
'second'.
The DatabaseOperations.datetime_cast_time_sql() method is added to
support the :lookup:time lookup. It accepts a field_name and tzname
arguments and returns the SQL necessary to cast a datetime value to time value.
To enable FOR UPDATE SKIP LOCKED support, set
DatabaseFeatures.has_select_for_update_skip_locked = True.
The new DatabaseFeatures.supports_index_column_ordering attribute
specifies if a database allows defining ordering for columns in indexes. The
default value is True and the DatabaseIntrospection.get_constraints()
method should include an 'orders' key in each of the returned
dictionaries with a list of 'ASC' and/or 'DESC' values corresponding
to the the ordering of each column in the index.
:djadmin:inspectdb no longer calls DatabaseIntrospection.get_indexes()
which is deprecated. Custom database backends should ensure all types of
indexes are returned by DatabaseIntrospection.get_constraints().
Renamed the ignores_quoted_identifier_case feature to
ignores_table_name_case to more accurately reflect how it is used.
The name keyword argument is added to the
DatabaseWrapper.create_cursor(self, name=None) method to allow usage of
server-side cursors on backends that support it.
Dropped support for PostgreSQL 9.2 and PostGIS 2.0
Upstream support for PostgreSQL 9.2 ends in September 2017. As a consequence,
Django 1.11 sets PostgreSQL 9.3 as the minimum version it officially supports.
Support for PostGIS 2.0 is also removed as PostgreSQL 9.2 is the last version
to support it.
Also, the minimum supported version of psycopg2 is increased from 2.4.5 to
2.5.4.
.. _liveservertestcase-port-zero-change:
LiveServerTestCase binds to port zero
Rather than taking a port range and iterating to find a free port,
LiveServerTestCase binds to port zero and relies on the operating system
to assign a free port. The DJANGO_LIVE_TEST_SERVER_ADDRESS environment
variable is no longer used, and as it's also no longer used, the
manage.py test --liveserver option is removed.
If you need to bind LiveServerTestCase to a specific port, use the port
attribute added in Django 1.11.2.
Protection against insecure redirects in :mod:django.contrib.auth and i18n views
LoginView, LogoutView (and the deprecated function-based equivalents),
and :func:~django.views.i18n.set_language protect users from being redirected
to non-HTTPS next URLs when the app is running over HTTPS.
QuerySet.get_or_create() and update_or_create() validate arguments
To prevent typos from passing silently,
:meth:~django.db.models.query.QuerySet.get_or_create and
:meth:~django.db.models.query.QuerySet.update_or_create check that their
arguments are model fields. This should be backwards-incompatible only in the
fact that it might expose a bug in your project.
pytz is a required dependency and support for settings.TIME_ZONE = None is removed
To simplify Django's timezone handling, pytz is now a required dependency.
It's automatically installed along with Django.
Support for settings.TIME_ZONE = None is removed as the behavior isn't
commonly used and is questionably useful. If you want to automatically detect
the timezone based on the system timezone, you can use tzlocal <https://pypi.python.org/pypi/tzlocal>_::
from tzlocal import get_localzone
TIME_ZONE = get_localzone().zone
This works similar to settings.TIME_ZONE = None except that it also sets
os.environ['TZ']. Let us know <https://groups.google.com/d/topic/django-developers/OAV3FChfuPM/discussion>__
if there's a use case where you find you can't adapt your code to set a
TIME_ZONE.
HTML changes in admin templates
<p class="help"> is replaced with a <div> tag to allow including lists
inside help text.
Read-only fields are wrapped in <div class="readonly">...</div> instead of
<p>...</p> to allow any kind of HTML as the field's content.
.. _template-widget-incompatibilities-1-11:
Changes due to the introduction of template-based widget rendering
Some undocumented classes in django.forms.widgets are removed:
The undocumented Select.render_option() method is removed.
The Widget.format_output() method is removed. Use a custom widget template
instead.
Some widget values, such as <select> options, are now localized if
settings.USE_L10N=True. You could revert to the old behavior with custom
widget templates that uses the :ttag:localize template tag to turn off
localization.
For compatibility with multiple template engines,
django.template.backends.django.Template.render() (returned from high-level
template loader APIs such as loader.get_template()) must receive a
dictionary of context rather than Context or RequestContext. If you
were passing either of the two classes, pass a dictionary instead -- doing so
is backwards-compatible with older versions of Django.
Model state changes in migration operations
To improve the speed of applying migrations, rendering of related models is
delayed until an operation that needs them (e.g. RunPython). If you have a
custom operation that works with model classes or model instances from the
from_state argument in database_forwards() or database_backwards(),
you must render model states using the clear_delayed_apps_cache() method as
described in :ref:writing your own migration operation <writing-your-own-migration-operation>.
Miscellaneous
If no items in the feed have a pubdate or updateddate attribute,
:meth:SyndicationFeed.latest_post_date() <django.utils.feedgenerator.SyndicationFeed.latest_post_date> now returns
the current UTC date/time, instead of a datetime without any timezone
information.
CSRF failures are logged to the django.security.csrf logger instead of
django.request.
:setting:ALLOWED_HOSTS validation is no longer disabled when running tests.
If your application includes tests with custom host names, you must include
those host names in :setting:ALLOWED_HOSTS. See
:ref:topics-testing-advanced-multiple-hosts.
Using a foreign key's id (e.g. 'field_id') in ModelAdmin.list_display
displays the related object's ID. Remove the _id suffix if you want the
old behavior of the string representation of the object.
In model forms, :class:~django.db.models.CharField with null=True now
saves NULL for blank values instead of empty strings.
On Oracle, :meth:Model.validate_unique() <django.db.models.Model.validate_unique> no longer checks empty strings for
uniqueness as the database interprets the value as NULL.
If you subclass :class:.AbstractUser and override clean(), be sure it
calls super(). :meth:.BaseUserManager.normalize_email is called in a
new :meth:.AbstractUser.clean method so that normalization is applied in
cases like model form validation.
EmailField and URLField no longer accept the strip keyword
argument. Remove it because it doesn't have an effect in older versions of
Django as these fields always strip whitespace.
The checked and selected attribute rendered by form widgets now uses
HTML5 boolean syntax rather than XHTML's checked='checked' and
selected='selected'.
:meth:RelatedManager.add() <django.db.models.fields.related.RelatedManager.add>,
:meth:~django.db.models.fields.related.RelatedManager.remove,
:meth:~django.db.models.fields.related.RelatedManager.clear, and
:meth:~django.db.models.fields.related.RelatedManager.set now
clear the prefetch_related() cache.
To prevent possible loss of saved settings,
:func:~django.test.utils.setup_test_environment now raises an exception if
called a second time before calling
:func:~django.test.utils.teardown_test_environment.
The undocumented DateTimeAwareJSONEncoder alias for
:class:~django.core.serializers.json.DjangoJSONEncoder (renamed in Django
1.0) is removed.
The :class:cached template loader <django.template.loaders.cached.Loader>
is now enabled if :setting:DEBUG is False and
:setting:OPTIONS['loaders'] <TEMPLATES-OPTIONS> isn't specified. This could
be backwards-incompatible if you have some :ref:template tags that aren't thread safe <template_tag_thread_safety>.
The prompt for stale content type deletion no longer occurs after running the
migrate command. Use the new :djadmin:remove_stale_contenttypes command
instead.
The admin's widget for IntegerField uses type="number" rather than
type="text".
Conditional HTTP headers are now parsed and compared according to the
:rfc:7232 Conditional Requests specification rather than the older
:rfc:2616.
:func:~django.utils.cache.patch_response_headers no longer adds a
Last-Modified header. According to the :rfc:7234section-4.2.2, this
header is useless alongside other caching headers that provide an explicit
expiration time, e.g. Expires or Cache-Control.
:class:~django.middleware.cache.UpdateCacheMiddleware and
:func:~django.utils.cache.add_never_cache_headers call
patch_response_headers() and therefore are also affected by this change.
In the admin templates, <p class="help"> is replaced with a <div> tag
to allow including lists inside help text.
:class:~django.middleware.http.ConditionalGetMiddleware no longer sets the
Date header as Web servers set that header. It also no longer sets the
Content-Length header as this is now done by
:class:~django.middleware.common.CommonMiddleware.
:meth:~django.apps.AppConfig.get_model and
:meth:~django.apps.AppConfig.get_models now raise
:exc:~django.core.exceptions.AppRegistryNotReady if they're called before
models of all applications have been loaded. Previously they only required
the target application's models to be loaded and thus could return models
without all their relations set up. If you need the old behavior of
get_model(), set the require_ready argument to False.
The unused BaseCommand.can_import_settings attribute is removed.
The undocumented django.utils.functional.lazy_property is removed.
For consistency with non-multipart requests, MultiPartParser.parse() now
leaves request.POST immutable. If you're modifying that QueryDict,
you must now first copy it, e.g. request.POST.copy().
Support for cx_Oracle < 5.2 is removed.
Support for IPython < 1.0 is removed from the shell command.
The signature of private API Widget.build_attrs() changed from
extra_attrs=None, **kwargs to base_attrs, extra_attrs=None.
File-like objects (e.g., :class:~io.StringIO and :class:~io.BytesIO)
uploaded to an :class:~django.db.models.ImageField using the test client
now require a name attribute with a value that passes the
:data:~django.core.validators.validate_image_file_extension validator.
See the note in :meth:.Client.post.
.. _deprecated-features-1.11:
Features deprecated in 1.11
models.permalink() decorator
Use :func:django.urls.reverse instead. For example::
contrib.auth’s login() and logout() function-based views are
deprecated in favor of new class-based views
:class:~django.contrib.auth.views.LoginView and
:class:~django.contrib.auth.views.LogoutView.
The unused extra_context parameter of
contrib.auth.views.logout_then_login() is deprecated.
contrib.auth’s password_change(), password_change_done(),
password_reset(), password_reset_done(), password_reset_confirm(),
and password_reset_complete() function-based views are deprecated in favor
of new class-based views
:class:~django.contrib.auth.views.PasswordChangeView,
:class:~django.contrib.auth.views.PasswordChangeDoneView,
:class:~django.contrib.auth.views.PasswordResetView,
:class:~django.contrib.auth.views.PasswordResetDoneView,
:class:~django.contrib.auth.views.PasswordResetConfirmView, and
:class:~django.contrib.auth.views.PasswordResetCompleteView.
django.test.runner.setup_databases() is moved to
:func:django.test.utils.setup_databases. The old location is deprecated.
django.utils.translation.string_concat() is deprecated in
favor of :func:django.utils.text.format_lazy. string_concat(*strings)
can be replaced by format_lazy('{}' * len(strings), *strings).
For the PyLibMCCache cache backend, passing pylibmc behavior settings
as top-level attributes of OPTIONS is deprecated. Set them under a
behaviors key within OPTIONS instead.
The host parameter of django.utils.http.is_safe_url() is deprecated
in favor of the new allowed_hosts parameter.
Silencing exceptions raised while rendering the
:ttag:{% include %} <include> template tag is deprecated as the behavior is
often more confusing than helpful. In Django 2.1, the exception will be
raised.
DatabaseIntrospection.get_indexes() is deprecated in favor of
DatabaseIntrospection.get_constraints().
:func:~django.contrib.auth.authenticate now passes a request argument
to the authenticate() method of authentication backends. Support for
methods that don't accept request as the first positional argument will
be removed in Django 2.1.
The USE_ETAGS setting is deprecated in favor of
:class:~django.middleware.http.ConditionalGetMiddleware which now adds the
ETag header to responses regardless of the setting. CommonMiddleware
and django.utils.cache.patch_response_headers() will no longer set ETags
when the deprecation ends.
Model._meta.has_auto_field is deprecated in favor of checking if
Model._meta.auto_field is not None.
Using regular expression groups with iLmsu in url() is deprecated.
The only group that's useful is (?i) for case-insensitive URLs, however,
case-insensitive URLs aren't a good practice because they create multiple
entries for search engines, for example. An alternative solution could be to
create a :data:~django.conf.urls.handler404 that looks for uppercase
characters in the URL and redirects to a lowercase equivalent.
The renderer argument is added to the :meth:Widget.render() <django.forms.Widget.render> method. Methods that don't accept that argument
will work through a deprecation period.
===========================
1.10.7
===========================
April 4, 2017
Django 1.10.7 fixes two security issues and a bug in 1.10.6.
CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs
Django relies on user input in some cases (e.g.
:func:django.contrib.auth.views.login and :doc:i18n </topics/i18n/index>)
to redirect the user to an "on success" URL. The security check for these
redirects (namely django.utils.http.is_safe_url()) considered some numeric
URLs (e.g. http:999999999) "safe" when they shouldn't be.
Also, if a developer relies on is_safe_url() to provide safe redirect
targets and puts such a URL into a link, they could suffer from an XSS attack.
CVE-2017-7234: Open redirect vulnerability in django.views.static.serve()
A maliciously crafted URL to a Django site using the
:func:~django.views.static.serve view could redirect to any other domain. The
view no longer does any redirects as they don't provide any known, useful
functionality.
Note, however, that this view has always carried a warning that it is not
hardened for production use and should be used only as a development aid.
Bugfixes
Made admin's RelatedFieldWidgetWrapper use the wrapped widget's
value_omitted_from_data() method (:ticket:27905).
Fixed model form default fallback for SelectMultiple
(:ticket:27993).
===========================
1.10.6
===========================
March 1, 2017
Django 1.10.6 fixes several bugs in 1.10.5.
Bugfixes
Fixed ClearableFileInput’s "Clear" checkbox on model form fields where
the model field has a default (:ticket:27805).
Fixed RequestDataTooBig and TooManyFieldsSent exceptions crashing
rather than generating a bad request response (:ticket:27820).
Fixed a crash on Oracle and PostgreSQL when subtracting DurationField
or IntegerField from DateField (:ticket:27828).
Fixed query expression date subtraction accuracy on PostgreSQL for
differences larger than a month (:ticket:27856).
Fixed a GDALException raised by GDALClose on GDAL ≥ 2.0
(:ticket:27479).
===========================
1.10.5
===========================
January 4, 2017
Django 1.10.5 fixes several bugs in 1.10.4.
Bugfixes
Fixed a crash in the debug view if request.user can't be retrieved, such
as if the database is unavailable (:ticket:27567).
Fixed occasional missing plural forms in JavaScriptCatalog
(:ticket:27418).
Fixed a regression in the timesince and timeuntil filters that caused
incorrect results for dates in a leap year (:ticket:27637).
Fixed a regression where collectstatic overwrote newer files in remote
storages (:ticket:27658).
===========================
1.10.4
===========================
December 1, 2016
Django 1.10.4 fixes several bugs in 1.10.3.
Bugfixes
Quoted the Oracle test user's password in queries to fix the "ORA-00922:
missing or invalid option" error when the password starts with a number or
special character (:ticket:27420).
Fixed incorrect app_label / model_name arguments for
allow_migrate() in makemigrations migration consistency checks
(:ticket:27461).
Made Model.delete(keep_parents=True) preserve parent reverse
relationships in multi-table inheritance (:ticket:27407).
Fixed a QuerySet.update() crash on SQLite when updating a
DateTimeField with an F() expression and a timedelta
(:ticket:27544).
Prevented LocaleMiddleware from redirecting on URLs that should return
404 when using prefix_default_language=False (:ticket:27402).
Prevented an unnecessary index from being created on an InnoDB ForeignKey
when the field was added after the model was created (:ticket:27558).
===========================
1.10.3
===========================
November 1, 2016
Django 1.10.3 fixes two security issues and several bugs in 1.10.2.
User with hardcoded password created when running tests on Oracle
When running tests with an Oracle database, Django creates a temporary database
user. In older versions, if a password isn't manually specified in the database
settings TEST dictionary, a hardcoded password is used. This could allow
an attacker with network access to the database server to connect.
This user is usually dropped after the test suite completes, but not when using
the manage.py test --keepdb option or if the user has an active session
(such as an attacker's connection).
A randomly generated password is now used for each test run.
DNS rebinding vulnerability when DEBUG=True
Older versions of Django don't validate the Host header against
settings.ALLOWED_HOSTS when settings.DEBUG=True. This makes them
vulnerable to a DNS rebinding attack <http://benmmurphy.github.io/blog/2016/07/11/rails-webconsole-dns-rebinding/>_.
While Django doesn't ship a module that allows remote code execution, this is
at least a cross-site scripting vector, which could be quite serious if
developers load a copy of the production database in development or connect to
some production services for which there's no development instance, for
example. If a project uses a package like the django-debug-toolbar, then
the attacker could execute arbitrary SQL, which could be especially bad if the
developers connect to the database with a superuser account.
settings.ALLOWED_HOSTS is now validated regardless of DEBUG. For
convenience, if ALLOWED_HOSTS is empty and DEBUG=True, the following
variations of localhost are allowed ['localhost', '127.0.0.1', '::1']. If
your local settings file has your production ALLOWED_HOSTS value, you must
now omit it to get those fallback values.
Bugfixes
Allowed User.is_authenticated and User.is_anonymous properties to be
tested for set membership (:ticket:27309).
Fixed a performance regression when running migrate in projects
with RenameModel operations (:ticket:27279).
Added model_name to the allow_migrate() calls in makemigrations
(:ticket:27200).
Made the JavaScriptCatalog view respect the packages argument;
previously it was ignored (:ticket:27374).
Fixed QuerySet.bulk_create() on PostgreSQL when the number of objects is
a multiple plus one of batch_size (:ticket:27385).
Prevented i18n_patterns() from using too much of the URL as the language
to fix a use case for prefix_default_language=False (:ticket:27063).
Replaced a possibly incorrect redirect from SessionMiddleware when a
session is destroyed in a concurrent request with a SuspiciousOperation
to indicate that the request can't be completed (:ticket:27363).
===========================
1.10.2
===========================
October 1, 2016
Django 1.10.2 fixes several bugs in 1.10.1.
Bugfixes
Fixed a crash in MySQL database validation where SELECT sql_mode
doesn't return a result (:ticket:27180).
Allowed combining contrib.postgres.search.SearchQuery with more than one
& or | operators (:ticket:27143).
Disabled system check for URL patterns beginning with a '/' when
APPEND_SLASH=False (:ticket:27238).
Fixed model form default fallback for CheckboxSelectMultiple,
MultiWidget, FileInput, SplitDateTimeWidget, SelectDateWidget,
and SplitArrayWidget (:ticket:27186). Custom widgets affected by this
issue should implement :meth:~django.forms.Widget.value_omitted_from_data.
Fixed a crash in runserver logging during a "Broken pipe" error
(:ticket:27271).
Fixed a regression where unchanged localized date/time fields were listed as
changed in the admin's model history messages (:ticket:27302).
===========================
1.10.1
===========================
September 1, 2016
Django 1.10.1 fixes several bugs in 1.10.
Bugfixes
Fixed a crash in MySQL connections where SELECT SQL_AUTO_IS_NULL
doesn't return a result (:ticket:26991).
Allowed User.is_authenticated and User.is_anonymous properties to be
compared using ==, !=, and | (:ticket:26988, :ticket:27154).
Removed the broken BaseCommand.usage() method which was for
optparse support (:ticket:27000).
Fixed a checks framework crash with an empty Meta.default_permissions
(:ticket:26997).
Fixed a regression in the number of queries when using RadioSelect with a
ModelChoiceField form field (:ticket:27001).
Fixed a crash if request.META['CONTENT_LENGTH'] is an empty string
(:ticket:27005).
Fixed the isnull lookup on a ForeignKey with its to_field
pointing to a CharField or pointing to a CharField defined with
primary_key=True (:ticket:26983).
Prevented the migrate command from raising
InconsistentMigrationHistory in the presence of unapplied squashed
migrations (:ticket:27004).
Fixed a regression in Client.force_login() which required specifying a
backend rather than automatically using the first one if multiple
backends are configured (:ticket:27027).
Made QuerySet.bulk_create() properly initialize model instances on
backends, such as PostgreSQL, that support returning the IDs of the created
records so that many-to-many relationships can be used on the new objects
(:ticket:27026).
Fixed crash of django.views.static.serve() with show_indexes enabled
(:ticket:26973).
Fixed ClearableFileInput to avoid the required HTML attribute when
initial data exists (:ticket:27037).
Fixed annotations with database functions when combined with lookups on
PostGIS (:ticket:27014).
Reallowed the {% for %} tag to unpack any iterable (:ticket:27058).
Made makemigrations skip inconsistent history checks on non-default
databases if database routers aren't in use or if no apps can be migrated
to the database (:ticket:27054, :ticket:27110, :ticket:27142).
Removed duplicated managers in Model._meta.managers (:ticket:27073).
Fixed contrib.admindocs crash when a view is in a class, such as some of
the admin views (:ticket:27018).
Reverted a few admin checks that checked field.many_to_many back to
isinstance(field, models.ManyToManyField) since it turned out the checks
weren't suitable to be generalized like that (:ticket:26998).
Added the database alias to the InconsistentMigrationHistory message
raised by makemigrations and migrate (:ticket:27089).
Fixed the creation of ContentType and Permission objects for models
of applications without migrations when calling the migrate command with
no migrations to apply (:ticket:27044).
Included the already applied migration state changes in the Apps instance
provided to the pre_migrate signal receivers to allow ContentType
renaming to be performed on model rename (:ticket:27100).
Reallowed subclassing UserCreationForm without USERNAME_FIELD in
Meta.fields (:ticket:27111).
Fixed a regression in model forms where model fields with a default that
didn't appear in POST data no longer used the default (:ticket:27039).
=========================
1.10
=========================
August 1, 2016
Welcome to Django 1.10!
These release notes cover the :ref:new features <whats-new-1.10>, as well as
some :ref:backwards incompatible changes <backwards-incompatible-1.10> you'll
want to be aware of when upgrading from Django 1.9 or older versions. We've
:ref:dropped some features <removed-features-1.10> that have reached the end
of their deprecation cycle, and we've :ref:begun the deprecation process for some features <deprecated-features-1.10>.
See the :doc:/howto/upgrade-version guide if you're updating an existing
project.
Python compatibility
Like Django 1.9, Django 1.10 requires Python 2.7, 3.4, or 3.5. We highly
recommend and only officially support the latest release of each series.
.. _whats-new-1.10:
What's new in Django 1.10
Full text search for PostgreSQL
django.contrib.postgres now includes a :doc:collection of database functions </ref/contrib/postgres/search> to allow the use of the full text
search engine. You can search across multiple fields in your relational
database, combine the searches with other lookups, use different language
configurations and weightings, and rank the results by relevance.
It also now includes trigram support, using the :lookup:trigram_similar
lookup, and the :class:~django.contrib.postgres.search.TrigramSimilarity and
:class:~django.contrib.postgres.search.TrigramDistance expressions.
New-style middleware
:doc:A new style of middleware is introduced </topics/http/middleware> to
solve the lack of strict request/response layering of the old-style of
middleware described in DEP 0005 <https://github.com/django/deps/blob/master/final/0005-improved-middleware.rst>_.
You'll need to :ref:adapt old, custom middleware <upgrading-middleware> and
switch from the MIDDLEWARE_CLASSES setting to the new :setting:MIDDLEWARE
setting to take advantage of the improvements.
Official support for Unicode usernames
The :class:~django.contrib.auth.models.User model in django.contrib.auth
originally only accepted ASCII letters in usernames. Although it wasn't a
deliberate choice, Unicode characters have always been accepted when using
Python 3.
The username validator now explicitly accepts Unicode letters by
default on Python 3 only. This default behavior can be overridden by changing
the :attr:~django.contrib.auth.models.User.username_validator attribute of
the User model, or to any proxy of that model, using either
:class:~django.contrib.auth.validators.ASCIIUsernameValidator or
:class:~django.contrib.auth.validators.UnicodeUsernameValidator. Custom user
models may also use those validators.
Minor features
:mod:django.contrib.admin
* For sites running on a subpath, the default :attr:`URL for the "View site"
link <django.contrib.admin.AdminSite.site_url>` at the top of each admin page
will now point to ``request.META['SCRIPT_NAME']`` if set, instead of ``/``.
* The success message that appears after adding or editing an object now
contains a link to the object's change form.
* All inline JavaScript is removed so you can enable the
``Content-Security-Policy`` HTTP header if you wish.
* The new :attr:`InlineModelAdmin.classes
<django.contrib.admin.InlineModelAdmin.classes>` attribute allows specifying
classes on inline fieldsets. Inlines with a ``collapse`` class will be
initially collapsed and their header will have a small "show" link.
* If a user doesn't have the add permission, the ``object-tools`` block on a
model's changelist will now be rendered (without the add button, of course).
This makes it easier to add custom tools in this case.
* The :class:`~django.contrib.admin.models.LogEntry` model now stores change
messages in a JSON structure so that the message can be dynamically translated
using the current active language. A new ``LogEntry.get_change_message()``
method is now the preferred way of retrieving the change message.
* Selected objects for fields in ``ModelAdmin.raw_id_fields`` now have a link
to object's change form.
* Added "No date" and "Has date" choices for ``DateFieldListFilter`` if the
field is nullable.
* The jQuery library embedded in the admin is upgraded from version 2.1.4 to
2.2.3.
:mod:`django.contrib.auth`
Added support for the :ref:Argon2 password hash <argon2_usage>. It's
recommended over PBKDF2, however, it's not the default as it requires a
third-party library.
The default iteration count for the PBKDF2 password hasher has been increased
by 25%. This backwards compatible change will not affect users who have
subclassed django.contrib.auth.hashers.PBKDF2PasswordHasher to change the
default value.
The :func:~django.contrib.auth.views.logout view sends "no-cache" headers
to prevent an issue where Safari caches redirects and prevents a user from
being able to log out.
Added the optional backend argument to :func:~django.contrib.auth.login
to allow using it without credentials.
The new :setting:LOGOUT_REDIRECT_URL setting controls the redirect of the
:func:~django.contrib.auth.views.logout view, if the view doesn't get a
next_page argument.
The new redirect_authenticated_user parameter for the
:func:~django.contrib.auth.views.login view allows redirecting
authenticated users visiting the login page.
The new :class:~django.contrib.auth.backends.AllowAllUsersModelBackend and
:class:~django.contrib.auth.backends.AllowAllUsersRemoteUserBackend ignore
the value of ``U
django is not pinned to a specific version.
I'm pinning it to the latest version 1.11.3 for now.
These links might come in handy: PyPI | Changelog | Homepage
Changelog