Plain Text | 86 lines | 68 code | 18 blank | 0 comment | 0 complexity | f54b3b955fc83240ad110c1f52a2a9af MD5 | raw file
1========================== 2Django 1.2.4 release notes 3========================== 4 5Welcome to Django 1.2.4! 6 7This is the fourth "bugfix" release in the Django 1.2 series, 8improving the stability and performance of the Django 1.2 codebase. 9 10With one exception, Django 1.2.4 maintains backwards compatibility 11with Django 1.2.3. It also contains a number of fixes and other 12improvements. Django 1.2.4 is a recommended upgrade for any 13development or deployment currently using or targeting Django 1.2. 14 15For full details on the new features, backwards incompatibilities, and 16deprecated features in the 1.2 branch, see the :doc:`/releases/1.2`. 17 18Backwards incompatible changes 19============================== 20 21Restricted filters in admin interface 22~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 23 24The Django administrative interface, django.contrib.admin, supports 25filtering of displayed lists of objects by fields on the corresponding 26models, including across database-level relationships. This is 27implemented by passing lookup arguments in the querystring portion of 28the URL, and options on the ModelAdmin class allow developers to 29specify particular fields or relationships which will generate 30automatic links for filtering. 31 32One historically-undocumented and -unofficially-supported feature has 33been the ability for a user with sufficient knowledge of a model's 34structure and the format of these lookup arguments to invent useful 35new filters on the fly by manipulating the querystring. 36 37However, it has been demonstrated that this can be abused to gain 38access to information outside of an admin user's permissions; for 39example, an attacker with access to the admin and sufficient knowledge 40of model structure and relations could construct query strings which -- 41with repeated use of regular-expression lookups supported by the 42Django database API -- expose sensitive information such as users' 43password hashes. 44 45To remedy this, django.contrib.admin will now validate that 46querystring lookup arguments either specify only fields on the model 47being viewed, or cross relations which have been explicitly 48whitelisted by the application developer using the pre-existing 49mechanism mentioned above. This is backwards-incompatible for any 50users relying on the prior ability to insert arbitrary lookups. 51 52One new feature 53=============== 54 55Ordinarily, a point release would not include new features, but in the 56case of Django 1.2.4, we have made an exception to this rule. 57 58One of the bugs fixed in Django 1.2.4 involves a set of 59circumstances whereby a running a test suite on a multiple database 60configuration could cause the original source database (i.e., the 61actual production database) to be dropped, causing catastrophic loss 62of data. In order to provide a fix for this problem, it was necessary 63to introduce a new setting -- :setting:`TEST_DEPENDENCIES` -- that 64allows you to define any creation order dependencies in your database 65configuration. 66 67Most users -- even users with multiple-database configurations -- need 68not be concerned about the data loss bug, or the manual configuration of 69:setting:`TEST_DEPENDENCIES`. See the `original problem report`_ 70documentation on :ref:`controlling the creation order of test 71databases <topics-testing-creation-dependencies>` for details. 72 73.. _original problem report: http://code.djangoproject.com/ticket/14415 74 75GeoDjango 76========= 77 78The function-based :setting:`TEST_RUNNER` previously used to execute 79the GeoDjango test suite, :func:`django.contrib.gis.tests.run_gis_tests`, 80was finally deprecated in favor of a class-based test runner, 81:class:`django.contrib.gis.tests.GeoDjangoTestSuiteRunner`, added in this 82release. 83 84In addition, the GeoDjango test suite is now included when 85:ref:`running the Django test suite <running-unit-tests>` with ``runtests.py`` 86and using :ref:`spatial database backends <spatial-backends>`.