PageRenderTime 123ms CodeModel.GetById 40ms app.highlight 1ms RepoModel.GetById 49ms app.codeStats 0ms

/docs/releases/1.2.4.txt

https://code.google.com/p/mango-py/
Plain Text | 86 lines | 68 code | 18 blank | 0 comment | 0 complexity | f54b3b955fc83240ad110c1f52a2a9af MD5 | raw file
 1==========================
 2Django 1.2.4 release notes
 3==========================
 4
 5Welcome to Django 1.2.4!
 6
 7This is the fourth "bugfix" release in the Django 1.2 series,
 8improving the stability and performance of the Django 1.2 codebase.
 9
10With one exception, Django 1.2.4 maintains backwards compatibility
11with Django 1.2.3. It also contains a number of fixes and other
12improvements. Django 1.2.4 is a recommended upgrade for any
13development or deployment currently using or targeting Django 1.2.
14
15For full details on the new features, backwards incompatibilities, and
16deprecated features in the 1.2 branch, see the :doc:`/releases/1.2`.
17
18Backwards incompatible changes
19==============================
20
21Restricted filters in admin interface
22~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
23
24The Django administrative interface, django.contrib.admin, supports
25filtering of displayed lists of objects by fields on the corresponding
26models, including across database-level relationships. This is
27implemented by passing lookup arguments in the querystring portion of
28the URL, and options on the ModelAdmin class allow developers to
29specify particular fields or relationships which will generate
30automatic links for filtering.
31
32One historically-undocumented and -unofficially-supported feature has
33been the ability for a user with sufficient knowledge of a model's
34structure and the format of these lookup arguments to invent useful
35new filters on the fly by manipulating the querystring.
36
37However, it has been demonstrated that this can be abused to gain
38access to information outside of an admin user's permissions; for
39example, an attacker with access to the admin and sufficient knowledge
40of model structure and relations could construct query strings which --
41with repeated use of regular-expression lookups supported by the
42Django database API -- expose sensitive information such as users'
43password hashes.
44
45To remedy this, django.contrib.admin will now validate that
46querystring lookup arguments either specify only fields on the model
47being viewed, or cross relations which have been explicitly
48whitelisted by the application developer using the pre-existing
49mechanism mentioned above. This is backwards-incompatible for any
50users relying on the prior ability to insert arbitrary lookups.
51
52One new feature
53===============
54
55Ordinarily, a point release would not include new features, but in the
56case of Django 1.2.4, we have made an exception to this rule.
57
58One of the bugs fixed in Django 1.2.4 involves a set of
59circumstances whereby a running a test suite on a multiple database
60configuration could cause the original source database (i.e., the
61actual production database) to be dropped, causing catastrophic loss
62of data. In order to provide a fix for this problem, it was necessary
63to introduce a new setting -- :setting:`TEST_DEPENDENCIES` -- that
64allows you to define any creation order dependencies in your database
65configuration.
66
67Most users -- even users with multiple-database configurations -- need
68not be concerned about the data loss bug, or the manual configuration of
69:setting:`TEST_DEPENDENCIES`. See the `original problem report`_
70documentation on :ref:`controlling the creation order of test
71databases <topics-testing-creation-dependencies>` for details.
72
73.. _original problem report: http://code.djangoproject.com/ticket/14415
74
75GeoDjango
76=========
77
78The function-based :setting:`TEST_RUNNER` previously used to execute
79the GeoDjango test suite, :func:`django.contrib.gis.tests.run_gis_tests`,
80was finally deprecated in favor of a class-based test runner,
81:class:`django.contrib.gis.tests.GeoDjangoTestSuiteRunner`, added in this
82release.
83
84In addition, the GeoDjango test suite is now included when
85:ref:`running the Django test suite <running-unit-tests>` with ``runtests.py``
86and using :ref:`spatial database backends <spatial-backends>`.