February 1, 2016
Django 1.9.2 fixes a security regression in 1.9 and several bugs in 1.9.1. It also makes a small backwards incompatible change that hopefully doesn't affect any users.
Security issue: User with "change" but not "add" permission can create objects for ModelAdmin
’s with save_as=True
If a ModelAdmin
uses save_as=True
(not the default), the admin
provides an option when editing objects to "Save as new". A regression in
Django 1.9 prevented that form submission from raising a "Permission Denied"
error for users without the "add" permission.
Backwards incompatible change: .py-tpl
files rewritten in project/app templates
The addition of some Django template language syntax to the default app
template in Django 1.9 means those files now have some invalid Python syntax.
This causes difficulties for packaging systems that unconditionally
byte-compile *.py
files.
To remedy this, a .py-tpl
suffix is now used for the project and app
template files included in Django. The .py-tpl
suffix is replaced with
.py
by the startproject
and startapp
commands. For example, a
template with the filename manage.py-tpl
will be created as manage.py
.
Please file a ticket if you have a custom project template containing
.py-tpl
files and find this behavior problematic.
漏洞修复
- Fixed a regression in
ConditionalGetMiddleware
causingIf-None-Match
checks to always return HTTP 200 (#26024). - Fixed a regression that caused the "user-tools" items to display on the admin's logout page (#26035).
- Fixed a crash in the translations system when the current language has no translations (#26046).
- Fixed a regression that caused the incorrect day to be selected when opening the admin calendar widget for timezones from GMT+0100 to GMT+1200 (#24980).
- Fixed a regression in the admin's edit related model popup that caused an escaped value to be displayed in the select dropdown of the parent window (#25997).
- Fixed a regression in 1.8.8 causing incorrect index handling in migrations on
PostgreSQL when adding
db_index=True
orunique=True
to aCharField
orTextField
that already had the other specified, or when removing one of them from a field that had both, or when addingunique=True
to a field already listed inunique_together
(#26034). - Fixed a regression where defining a relation on an abstract model's field using a string model name without an app_label no longer resolved that reference to the abstract model's app if using that model in another application (#25858).
- Fixed a crash when destroying an existing test database on MySQL or PostgreSQL (#26096).
- Fixed CSRF cookie check on POST requests when
USE_X_FORWARDED_PORT=True
(#26094). - Fixed a
QuerySet.order_by()
crash when ordering by a relational field of aManyToManyField
through
model (#26092). - Fixed a regression that caused an exception when making database queries on
SQLite with more than 2000 parameters when
DEBUG
isTrue
on distributions that increase theSQLITE_MAX_VARIABLE_NUMBER
compile-time limit to over 2000, such as Debian (#26063). - Fixed a crash when using a reverse
OneToOneField
inModelAdmin.readonly_fields
(#26060). - Fixed a crash when calling the
migrate
command in a test case with theavailable_apps
attribute pointing to an application with migrations disabled using theMIGRATION_MODULES
setting (#26135). - Restored the ability for testing and debugging tools to determine the
template from which a node came from, even during template inheritance or
inclusion. Prior to Django 1.9, debugging tools could access the template
origin from the node via
Node.token.source[0]
. This was an undocumented, private API. The origin is now available directly on each node using theNode.origin
attribute (#25848). - Fixed a regression in Django 1.8.5 that broke copying a
SimpleLazyObject
withcopy.copy()
(#26122). - Always included
geometry_field
in the GeoJSON serializer output regardless of thefields
parameter (#26138). - Fixed the
contrib.gis
map widgets when usingUSE_THOUSAND_SEPARATOR=True
(#20415). - Made invalid forms display the initial of values of their disabled fields (#26129).
讨论区