Ticket #17460: hidden_settings4.patch

File hidden_settings4.patch, 50.7 KB (added by chomik, 13 years ago)

patch with improved documentation and release notes for 1.4-beta-1

  • django/views/debug.py

    diff --git a/django/views/debug.py b/django/views/debug.py
    index 61817bb..b549959 100644
    a b from django.utils.html import escape  
    1414from django.utils.importlib import import_module
    1515from django.utils.encoding import smart_unicode, smart_str
    1616
    17 HIDDEN_SETTINGS = re.compile('SECRET|PASSWORD|PROFANITIES_LIST|SIGNATURE')
     17HIDDEN_SETTINGS = re.compile('API|TOKEN|KEY|SECRET|PASS|PROFANITIES_LIST|SIGNATURE')
    1818
    1919CLEANSED_SUBSTITUTE = u'********************'
    2020
  • docs/ref/settings.txt

    diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt
    index d8260b0..09daade 100644
    a b A boolean that turns on/off debug mode.  
    758758
    759759If you define custom settings, `django/views/debug.py`_ has a ``HIDDEN_SETTINGS``
    760760regular expression which will hide from the DEBUG view anything that contains
    761 ``'SECRET'``, ``'PASSWORD'``, ``'PROFANITIES'``, or ``'SIGNATURE'``. This allows
    762 untrusted users to be able to give backtraces without seeing sensitive (or
    763 offensive) settings.
     761``'API'``, ``'TOKEN'``, ``'KEY'``, ``'SECRET'``, ``'PASS'``,
     762``'PROFANITIES_LIST'``, or ``'SIGNATURE'``.
     763This allows untrusted users to be able to give backtraces without seeing
     764sensitive (or offensive) settings.
     765
     766.. versionchanged:: 1.4-beta-1
     767
     768    ``'PASSWORD'`` changed to ``'PASS'``. ``'API'``, ``'TOKEN'``, ``'KEY'`` added.
     769
     770Note that due to how regular expression matching works ``'PASS'`` will also
     771match PASSWORD, just as ``'TOKEN'`` will also match TOKENIZED and so on.
    764772
    765773Still, note that there are always going to be sections of your debug output that
    766774are inappropriate for public consumption. File paths, configuration options, and
  • new file docs/releases/1.4-beta-1.txt

    diff --git a/docs/releases/1.4-beta-1.txt b/docs/releases/1.4-beta-1.txt
    new file mode 100644
    index 0000000..6033fb5
    - +  
     1==============================
     2Django 1.4 beta release notes
     3==============================
     4
     5December 22, 2011.
     6
     7Welcome to Django 1.4 beta!
     8
     9This is the first in a series of preview/development releases leading up to
     10the eventual release of Django 1.4, scheduled for March 2012. This release is
     11primarily targeted at developers who are interested in trying out new features
     12and testing the Django codebase to help identify and resolve bugs prior to the
     13final 1.4 release.
     14
     15As such, this release is *not* intended for production use, and any such use
     16is discouraged.
     17
     18Django 1.4 beta includes various `new features`_ and some minor `backwards
     19incompatible changes`_. There are also some features that have been dropped,
     20which are detailed in :doc:`our deprecation plan </internals/deprecation>`,
     21and we've `begun the deprecation process for some features`_.
     22
     23.. _new features: `What's new in Django 1.4`_
     24.. _backwards incompatible changes: `Backwards incompatible changes in 1.4`_
     25.. _begun the deprecation process for some features: `Features deprecated in 1.4`_
     26
     27Python compatibility
     28====================
     29
     30While not a new feature, it's important to note that Django 1.4 introduces the
     31second shift in our Python compatibility policy since Django's initial public
     32debut. Django 1.2 dropped support for Python 2.3; now Django 1.4 drops support
     33for Python 2.4. As such, the minimum Python version required for Django is now
     342.5, and Django is tested and supported on Python 2.5, 2.6 and 2.7.
     35
     36This change should affect only a small number of Django users, as most
     37operating-system vendors today are shipping Python 2.5 or newer as their default
     38version. If you're still using Python 2.4, however, you'll need to stick to
     39Django 1.3 until you can upgrade; per :doc:`our support policy
     40</internals/release-process>`, Django 1.3 will continue to receive security
     41support until the release of Django 1.5.
     42
     43Django does not support Python 3.x at this time. A document outlining our full
     44timeline for deprecating Python 2.x and moving to Python 3.x will be published
     45before the release of Django 1.4.
     46
     47What's new in Django 1.4
     48========================
     49
     50New phrases added to ``HIDDEN_SETTINGS`` regex
     51~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     52
     53``'API'``, ``'TOKEN'``, ``'KEY'`` were added ``'PASSWORD'`` was changed to ``'PASS'``.
     54
     55Support for in-browser testing frameworks
     56~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     57
     58Django 1.4 now supports integration with in-browser testing frameworks such
     59as Selenium_ or Windmill_ thanks to the :class:`django.test.LiveServerTestCase`
     60base class, allowing you to test the interactions between your site's front and
     61back ends more comprehensively. See the
     62:class:`documentation<django.test.LiveServerTestCase>` for more details and
     63concrete examples.
     64
     65.. _Windmill: http://www.getwindmill.com/
     66.. _Selenium: http://seleniumhq.org/
     67
     68``SELECT FOR UPDATE`` support
     69~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     70
     71Django 1.4 now includes a :meth:`QuerySet.select_for_update()
     72<django.db.models.query.QuerySet.select_for_update>` method which generates a
     73``SELECT ... FOR UPDATE`` SQL query. This will lock rows until the end of the
     74transaction, meaning that other transactions cannot modify or delete rows
     75matched by a ``FOR UPDATE`` query.
     76
     77For more details, see the documentation for
     78:meth:`~django.db.models.query.QuerySet.select_for_update`.
     79
     80``Model.objects.bulk_create`` in the ORM
     81~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     82
     83This method allows for more efficient creation of multiple objects in the ORM.
     84It can provide significant performance increases if you have many objects.
     85Django makes use of this internally, meaning some operations (such as database
     86setup for test suites) have seen a performance benefit as a result.
     87
     88See the :meth:`~django.db.models.query.QuerySet.bulk_create` docs for more
     89information.
     90
     91``QuerySet.prefetch_related``
     92~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     93
     94Similar to :meth:`~django.db.models.query.QuerySet.select_related` but with a
     95different strategy and broader scope,
     96:meth:`~django.db.models.query.QuerySet.prefetch_related` has been added to
     97:class:`~django.db.models.query.QuerySet`. This method returns a new
     98``QuerySet`` that will prefetch each of the specified related lookups in a
     99single batch as soon as the query begins to be evaluated. Unlike
     100``select_related``, it does the joins in Python, not in the database, and
     101supports many-to-many relationships,
     102:class:`~django.contrib.contenttypes.generic.GenericForeignKey` and more. This
     103allows you to fix a very common performance problem in which your code ends up
     104doing O(n) database queries (or worse) if objects on your primary ``QuerySet``
     105each have many related objects that you also need.
     106
     107Improved password hashing
     108~~~~~~~~~~~~~~~~~~~~~~~~~
     109
     110Django's auth system (``django.contrib.auth``) stores passwords using a one-way
     111algorithm. Django 1.3 uses the SHA1_ algorithm, but increasing processor speeds
     112and theoretical attacks have revealed that SHA1 isn't as secure as we'd like.
     113Thus, Django 1.4 introduces a new password storage system: by default Django now
     114uses the PBKDF2_ algorithm (as recommended by NIST_). You can also easily choose
     115a different algorithm (including the popular bcrypt_ algorithm). For more
     116details, see :ref:`auth_password_storage`.
     117
     118.. _sha1: http://en.wikipedia.org/wiki/SHA1
     119.. _pbkdf2: http://en.wikipedia.org/wiki/PBKDF2
     120.. _nist: http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf
     121.. _bcrypt: http://en.wikipedia.org/wiki/Bcrypt
     122
     123
     124HTML5 Doctype
     125~~~~~~~~~~~~~
     126
     127We've switched the admin and other bundled templates to use the HTML5
     128doctype. While Django will be careful to maintain compatibility with older
     129browsers, this change means that you can use any HTML5 features you need in
     130admin pages without having to lose HTML validity or override the provided
     131templates to change the doctype.
     132
     133List filters in admin interface
     134~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     135
     136Prior to Django 1.4, the :mod:`~django.contrib.admin` app allowed you to specify
     137change list filters by specifying a field lookup, but didn't allow you to create
     138custom filters. This has been rectified with a simple API (previously used
     139internally and known as "FilterSpec"). For more details, see the documentation
     140for :attr:`~django.contrib.admin.ModelAdmin.list_filter`.
     141
     142Multiple sort in admin interface
     143~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     144
     145The admin change list now supports sorting on multiple columns. It respects all
     146elements of the :attr:`~django.contrib.admin.ModelAdmin.ordering` attribute, and
     147sorting on multiple columns by clicking on headers is designed to mimic the
     148behavior of desktop GUIs. The
     149:meth:`~django.contrib.admin.ModelAdmin.get_ordering` method for specifying the
     150ordering dynamically (e.g. depending on the request) has also been added.
     151
     152New ``ModelAdmin`` methods
     153~~~~~~~~~~~~~~~~~~~~~~~~~~
     154
     155A new :meth:`~django.contrib.admin.ModelAdmin.save_related` method was added to
     156:mod:`~django.contrib.admin.ModelAdmin` to ease customization of how
     157related objects are saved in the admin.
     158
     159Two other new methods,
     160:meth:`~django.contrib.admin.ModelAdmin.get_list_display` and
     161:meth:`~django.contrib.admin.ModelAdmin.get_list_display_links`
     162were added to :class:`~django.contrib.admin.ModelAdmin` to enable the dynamic
     163customization of fields and links displayed on the admin change list.
     164
     165Admin inlines respect user permissions
     166~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     167
     168Admin inlines will now only allow those actions for which the user has
     169permission. For ``ManyToMany`` relationships with an auto-created intermediate
     170model (which does not have its own permissions), the change permission for the
     171related model determines if the user has the permission to add, change or
     172delete relationships.
     173
     174Tools for cryptographic signing
     175~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     176
     177Django 1.4 adds both a low-level API for signing values and a high-level API
     178for setting and reading signed cookies, one of the most common uses of
     179signing in Web applications.
     180
     181See the :doc:`cryptographic signing </topics/signing>` docs for more
     182information.
     183
     184Cookie-based session backend
     185~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     186
     187Django 1.4 introduces a new cookie-based backend for the session framework
     188which uses the tools for :doc:`cryptographic signing </topics/signing>` to
     189store the session data in the client's browser.
     190
     191See the :ref:`cookie-based session backend <cookie-session-backend>` docs for
     192more information.
     193
     194New form wizard
     195~~~~~~~~~~~~~~~
     196
     197The previous ``FormWizard`` from the formtools contrib app has been
     198replaced with a new implementation based on the class-based views
     199introduced in Django 1.3. It features a pluggable storage API and doesn't
     200require the wizard to pass around hidden fields for every previous step.
     201
     202Django 1.4 ships with a session-based storage backend and a cookie-based
     203storage backend. The latter uses the tools for
     204:doc:`cryptographic signing </topics/signing>` also introduced in
     205Django 1.4 to store the wizard's state in the user's cookies.
     206
     207See the :doc:`form wizard </ref/contrib/formtools/form-wizard>` docs for
     208more information.
     209
     210``reverse_lazy``
     211~~~~~~~~~~~~~~~~
     212
     213A lazily evaluated version of :func:`django.core.urlresolvers.reverse` was
     214added to allow using URL reversals before the project's URLConf gets loaded.
     215
     216Translating URL patterns
     217~~~~~~~~~~~~~~~~~~~~~~~~
     218
     219Django 1.4 gained the ability to look for a language prefix in the URL pattern
     220when using the new :func:`~django.conf.urls.i18n.i18n_patterns` helper function.
     221Additionally, it's now possible to define translatable URL patterns using
     222:func:`~django.utils.translation.ugettext_lazy`. See
     223:ref:`url-internationalization` for more information about the language prefix
     224and how to internationalize URL patterns.
     225
     226Contextual translation support for ``{% trans %}`` and ``{% blocktrans %}``
     227~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     228
     229The :ref:`contextual translation<contextual-markers>` support introduced in
     230Django 1.3 via the ``pgettext`` function has been extended to the
     231:ttag:`trans` and :ttag:`blocktrans` template tags using the new ``context``
     232keyword.
     233
     234Customizable ``SingleObjectMixin`` URLConf kwargs
     235~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     236
     237Two new attributes,
     238:attr:`pk_url_kwarg<django.views.generic.detail.SingleObjectMixin.pk_url_kwarg>`
     239and
     240:attr:`slug_url_kwarg<django.views.generic.detail.SingleObjectMixin.slug_url_kwarg>`,
     241have been added to :class:`~django.views.generic.detail.SingleObjectMixin` to
     242enable the customization of URLConf keyword arguments used for single
     243object generic views.
     244
     245Assignment template tags
     246~~~~~~~~~~~~~~~~~~~~~~~~
     247
     248A new :ref:`assignment_tag<howto-custom-template-tags-assignment-tags>` helper
     249function was added to ``template.Library`` to ease the creation of template
     250tags that store data in a specified context variable.
     251
     252``*args`` and ``**kwargs`` support for template tag helper functions
     253~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     254
     255The :ref:`simple_tag<howto-custom-template-tags-simple-tags>`,
     256:ref:`inclusion_tag <howto-custom-template-tags-inclusion-tags>` and
     257newly introduced
     258:ref:`assignment_tag<howto-custom-template-tags-assignment-tags>` template
     259helper functions may now accept any number of positional or keyword arguments.
     260For example:
     261
     262.. code-block:: python
     263
     264    @register.simple_tag
     265    def my_tag(a, b, *args, **kwargs):
     266        warning = kwargs['warning']
     267        profile = kwargs['profile']
     268        ...
     269        return ...
     270
     271Then in the template any number of arguments may be passed to the template tag.
     272For example:
     273
     274.. code-block:: html+django
     275
     276    {% my_tag 123 "abcd" book.title warning=message|lower profile=user.profile %}
     277
     278No wrapping of exceptions in ``TEMPLATE_DEBUG`` mode
     279~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     280
     281In previous versions of Django, whenever the :setting:`TEMPLATE_DEBUG` setting
     282was ``True``, any exception raised during template rendering (even exceptions
     283unrelated to template syntax) were wrapped in ``TemplateSyntaxError`` and
     284re-raised. This was done in order to provide detailed template source location
     285information in the debug 500 page.
     286
     287In Django 1.4, exceptions are no longer wrapped. Instead, the original
     288exception is annotated with the source information. This means that catching
     289exceptions from template rendering is now consistent regardless of the value of
     290:setting:`TEMPLATE_DEBUG`, and there's no need to catch and unwrap
     291``TemplateSyntaxError`` in order to catch other errors.
     292
     293``truncatechars`` template filter
     294~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     295
     296Added a filter which truncates a string to be no longer than the specified
     297number of characters. Truncated strings end with a translatable ellipsis
     298sequence ("..."). See the documentation for :tfilter:`truncatechars` for
     299more details.
     300
     301``static`` template tag
     302~~~~~~~~~~~~~~~~~~~~~~~
     303
     304The :mod:`staticfiles<django.contrib.staticfiles>` contrib app has a new
     305:ttag:`static<staticfiles-static>` template tag to refer to files saved with
     306the :setting:`STATICFILES_STORAGE` storage backend. It uses the storage
     307backend's ``url`` method and therefore supports advanced features such as
     308:ref:`serving files from a cloud service<staticfiles-from-cdn>`.
     309
     310``CachedStaticFilesStorage`` storage backend
     311~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     312
     313In addition to the `static template tag`_, the
     314:mod:`staticfiles<django.contrib.staticfiles>` contrib app now has a
     315:class:`~django.contrib.staticfiles.storage.CachedStaticFilesStorage` backend
     316which caches the files it saves (when running the :djadmin:`collectstatic`
     317management command) by appending the MD5 hash of the file's content to the
     318filename. For example, the file ``css/styles.css`` would also be saved as
     319``css/styles.55e7cbb9ba48.css``
     320
     321See the :class:`~django.contrib.staticfiles.storage.CachedStaticFilesStorage`
     322docs for more information.
     323
     324Simple clickjacking protection
     325~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     326
     327We've added a middleware to provide easy protection against `clickjacking
     328<http://en.wikipedia.org/wiki/Clickjacking>`_ using the ``X-Frame-Options``
     329header. It's not enabled by default for backwards compatibility reasons, but
     330you'll almost certainly want to :doc:`enable it </ref/clickjacking/>` to help
     331plug that security hole for browsers that support the header.
     332
     333CSRF improvements
     334~~~~~~~~~~~~~~~~~
     335
     336We've made various improvements to our CSRF features, including the
     337:func:`~django.views.decorators.csrf.ensure_csrf_cookie` decorator which can
     338help with AJAX heavy sites, protection for PUT and DELETE requests, and the
     339:setting:`CSRF_COOKIE_SECURE` and :setting:`CSRF_COOKIE_PATH` settings which can
     340improve the security and usefulness of the CSRF protection. See the :doc:`CSRF
     341docs </ref/contrib/csrf>` for more information.
     342
     343Error report filtering
     344~~~~~~~~~~~~~~~~~~~~~~
     345
     346Two new function decorators, :func:`sensitive_variables` and
     347:func:`sensitive_post_parameters`, were added to allow designating the
     348local variables and POST parameters which may contain sensitive
     349information and should be filtered out of error reports.
     350
     351All POST parameters are now systematically filtered out of error reports for
     352certain views (``login``, ``password_reset_confirm``, ``password_change``, and
     353``add_view`` in :mod:`django.contrib.auth.views`, as well as
     354``user_change_password`` in the admin app) to prevent the leaking of sensitive
     355information such as user passwords.
     356
     357You may override or customize the default filtering by writing a :ref:`custom
     358filter<custom-error-reports>`. For more information see the docs on
     359:ref:`Filtering error reports<filtering-error-reports>`.
     360
     361Extended IPv6 support
     362~~~~~~~~~~~~~~~~~~~~~
     363
     364The previously added support for IPv6 addresses when using the runserver
     365management command in Django 1.3 has now been further extended by adding
     366a :class:`~django.db.models.fields.GenericIPAddressField` model field,
     367a :class:`~django.forms.fields.GenericIPAddressField` form field and
     368the validators :data:`~django.core.validators.validate_ipv46_address` and
     369:data:`~django.core.validators.validate_ipv6_address`
     370
     371Updated default project layout and ``manage.py``
     372~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     373
     374Django 1.4 ships with an updated default project layout and ``manage.py`` file
     375for the :djadmin:`startproject` management command. These fix some issues with
     376the previous ``manage.py`` handling of Python import paths that caused double
     377imports, trouble moving from development to deployment, and other
     378difficult-to-debug path issues.
     379
     380The previous ``manage.py`` called functions that are now deprecated, and thus
     381projects upgrading to Django 1.4 should update their ``manage.py``. (The
     382old-style ``manage.py`` will continue to work as before until Django 1.6; in
     3831.5 it will raise ``DeprecationWarning``).
     384
     385The new recommended ``manage.py`` file should look like this::
     386
     387    #!/usr/bin/env python
     388    import os, sys
     389
     390    if __name__ == "__main__":
     391        os.environ.setdefault("DJANGO_SETTINGS_MODULE", "{{ project_name }}.settings")
     392
     393        from django.core.management import execute_from_command_line
     394
     395        execute_from_command_line(sys.argv)
     396
     397``{{ project_name }}`` should be replaced with the Python package name of the
     398actual project.
     399
     400If settings, URLconfs, and apps within the project are imported or referenced
     401using the project name prefix (e.g. ``myproject.settings``, ``ROOT_URLCONF =
     402"myproject.urls"``, etc), the new ``manage.py`` will need to be moved one
     403directory up, so it is outside the project package rather than adjacent to
     404``settings.py`` and ``urls.py``.
     405
     406For instance, with the following layout::
     407
     408    manage.py
     409    mysite/
     410        __init__.py
     411        settings.py
     412        urls.py
     413        myapp/
     414            __init__.py
     415            models.py
     416
     417You could import ``mysite.settings``, ``mysite.urls``, and ``mysite.myapp``,
     418but not ``settings``, ``urls``, or ``myapp`` as top-level modules.
     419
     420Anything imported as a top-level module can be placed adjacent to the new
     421``manage.py``. For instance, to decouple "myapp" from the project module and
     422import it as just ``myapp``, place it outside the ``mysite/`` directory::
     423
     424    manage.py
     425    myapp/
     426        __init__.py
     427        models.py
     428    mysite/
     429        __init__.py
     430        settings.py
     431        urls.py
     432
     433If the same code is imported inconsistently (some places with the project
     434prefix, some places without it), the imports will need to be cleaned up when
     435switching to the new ``manage.py``.
     436
     437Improved WSGI support
     438~~~~~~~~~~~~~~~~~~~~~
     439
     440The :djadmin:`startproject` management command now adds a :file:`wsgi.py`
     441module to the initial project layout, containing a simple WSGI application that
     442can be used for :doc:`deploying with WSGI app
     443servers</howto/deployment/wsgi/index>`.
     444
     445The :djadmin:`built-in development server<runserver>` now supports using an
     446externally-defined WSGI callable, so as to make it possible to run runserver
     447with the same WSGI configuration that is used for deployment. A new
     448:setting:`WSGI_APPLICATION` setting is available to configure which WSGI
     449callable :djadmin:`runserver` uses.
     450
     451(The :djadmin:`runfcgi` management command also internally wraps the WSGI
     452callable configured via :setting:`WSGI_APPLICATION`.)
     453
     454Custom project and app templates
     455~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     456
     457The :djadmin:`startapp` and :djadmin:`startproject` management commands
     458got a ``--template`` option for specifying a path or URL to a custom app or
     459project template.
     460
     461For example, Django will use the ``/path/to/my_project_template`` directory
     462when running the following command::
     463
     464    django-admin.py startproject --template=/path/to/my_project_template myproject
     465
     466You can also now provide a destination directory as the second
     467argument to both :djadmin:`startapp` and :djadmin:`startproject`::
     468
     469    django-admin.py startapp myapp /path/to/new/app
     470    django-admin.py startproject myproject /path/to/new/project
     471
     472For more information, see the :djadmin:`startapp` and :djadmin:`startproject`
     473documentation.
     474
     475Support for time zones
     476~~~~~~~~~~~~~~~~~~~~~~
     477
     478Django 1.4 adds :ref:`support for time zones <time-zones>`. When it's enabled,
     479Django stores date and time information in UTC in the database, uses time
     480zone-aware datetime objects internally, and translates them to the end user's
     481time zone in templates and forms.
     482
     483Reasons for using this feature include:
     484
     485- Customizing date and time display for users around the world.
     486- Storing datetimes in UTC for database portability and interoperability.
     487  (This argument doesn't apply to PostgreSQL, because it already stores
     488  timestamps with time zone information in Django 1.3.)
     489- Avoiding data corruption problems around DST transitions.
     490
     491Time zone support is enabled by default in new projects created with
     492:djadmin:`startproject`. If you want to use this feature in an existing
     493project, there is a :ref:`migration guide <time-zones-migration-guide>`.
     494
     495Minor features
     496~~~~~~~~~~~~~~
     497
     498Django 1.4 also includes several smaller improvements worth noting:
     499
     500* A more usable stacktrace in the technical 500 page: frames in the
     501  stack trace which reference Django's code are dimmed out, while
     502  frames in user code are slightly emphasized. This change makes it
     503  easier to scan a stacktrace for issues in user code.
     504
     505* :doc:`Tablespace support </topics/db/tablespaces>` in PostgreSQL.
     506
     507* Customizable names for :meth:`~django.template.Library.simple_tag`.
     508
     509* In the documentation, a helpful :doc:`security overview </topics/security>`
     510  page.
     511
     512* The :func:`django.contrib.auth.models.check_password` function has been moved
     513  to the :mod:`django.contrib.auth.utils` module. Importing it from the old
     514  location will still work, but you should update your imports.
     515
     516* The :djadmin:`collectstatic` management command gained a ``--clear`` option
     517  to delete all files at the destination before copying or linking the static
     518  files.
     519
     520* It is now possible to load fixtures containing forward references when using
     521  MySQL with the InnoDB database engine.
     522
     523* A new 403 response handler has been added as
     524  ``'django.views.defaults.permission_denied'``. You can set your own handler by
     525  setting the value of :data:`django.conf.urls.handler403`. See the
     526  documentation about :ref:`the 403 (HTTP Forbidden) view<http_forbidden_view>`
     527  for more information.
     528
     529* The :ttag:`trans` template tag now takes an optional ``as`` argument to
     530  be able to retrieve a translation string without displaying it but setting
     531  a template context variable instead.
     532
     533* The :ttag:`if` template tag now supports ``{% elif %}`` clauses.
     534
     535* A new plain text version of the HTTP 500 status code internal error page
     536  served when :setting:`DEBUG` is ``True`` is now sent to the client when
     537  Django detects that the request has originated in JavaScript code
     538  (:meth:`~django.http.HttpRequest.is_ajax` is used for this).
     539
     540  Similarly to its HTML counterpart, it contains a collection of different
     541  pieces of information about the state of the web application.
     542
     543  This should make it easier to read when debugging interaction with
     544  client-side Javascript code.
     545
     546* Added the :djadminopt:`--no-location` option to the :djadmin:`makemessages`
     547  command.
     548
     549* Changed the ``locmem`` cache backend to use
     550  ``pickle.HIGHEST_PROTOCOL`` for better compatibility with the other
     551  cache backends.
     552
     553* Added support in the ORM for generating ``SELECT`` queries containing
     554  ``DISTINCT ON``.
     555
     556  The ``distinct()`` ``QuerySet`` method now accepts an optional list of model
     557  field names. If specified, then the ``DISTINCT`` statement is limited to these
     558  fields. This is only supported in PostgreSQL.
     559
     560  For more details, see the documentation for
     561  :meth:`~django.db.models.query.QuerySet.distinct`.
     562
     563Backwards incompatible changes in 1.4
     564=====================================
     565
     566django.contrib.admin
     567~~~~~~~~~~~~~~~~~~~~
     568
     569The included administration app ``django.contrib.admin`` has for a long time
     570shipped with a default set of static files such as JavaScript, images and
     571stylesheets. Django 1.3 added a new contrib app ``django.contrib.staticfiles``
     572to handle such files in a generic way and defined conventions for static
     573files included in apps.
     574
     575Starting in Django 1.4 the admin's static files also follow this
     576convention to make it easier to deploy the included files. In previous
     577versions of Django, it was also common to define an ``ADMIN_MEDIA_PREFIX``
     578setting to point to the URL where the admin's static files are served by a
     579web server. This setting has now been deprecated and replaced by the more
     580general setting :setting:`STATIC_URL`. Django will now expect to find the
     581admin static files under the URL ``<STATIC_URL>/admin/``.
     582
     583If you've previously used a URL path for ``ADMIN_MEDIA_PREFIX`` (e.g.
     584``/media/``) simply make sure :setting:`STATIC_URL` and :setting:`STATIC_ROOT`
     585are configured and your web server serves the files correctly. The development
     586server continues to serve the admin files just like before. Don't hesitate to
     587consult the :doc:`static files howto </howto/static-files>` for further
     588details.
     589
     590In case your ``ADMIN_MEDIA_PREFIX`` is set to an specific domain (e.g.
     591``http://media.example.com/admin/``) make sure to also set your
     592:setting:`STATIC_URL` setting to the correct URL, for example
     593``http://media.example.com/``.
     594
     595.. warning::
     596
     597    If you're implicitely relying on the path of the admin static files on
     598    your server's file system when you deploy your site, you have to update
     599    that path. The files were moved from :file:`django/contrib/admin/media/`
     600    to :file:`django/contrib/admin/static/admin/`.
     601
     602Supported browsers for the admin
     603~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     604
     605Django hasn't had a clear policy on which browsers are supported for using the
     606admin app. Django's new policy formalizes existing practices: `YUI's A-grade`_
     607browsers should provide a fully-functional admin experience, with the notable
     608exception of IE6, which is no longer supported.
     609
     610Released over ten years ago, IE6 imposes many limitations on modern web
     611development. The practical implications of this policy are that contributors
     612are free to improve the admin without consideration for these limitations.
     613
     614This new policy **has no impact** on development outside of the admin. Users of
     615Django are free to develop webapps compatible with any range of browsers.
     616
     617.. _YUI's A-grade: http://yuilibrary.com/yui/docs/tutorials/gbs/
     618
     619Removed admin icons
     620~~~~~~~~~~~~~~~~~~~
     621
     622As part of an effort to improve the performance and usability of the admin's
     623changelist sorting interface and of the admin's :attr:`horizontal
     624<django.contrib.admin.ModelAdmin.filter_horizontal>` and :attr:`vertical
     625<django.contrib.admin.ModelAdmin.filter_vertical>` "filter" widgets, some icon
     626files were removed and grouped into two sprite files.
     627
     628Specifically: ``selector-add.gif``, ``selector-addall.gif``,
     629``selector-remove.gif``, ``selector-removeall.gif``,
     630``selector_stacked-add.gif`` and ``selector_stacked-remove.gif`` were
     631combined into ``selector-icons.gif``; and ``arrow-up.gif`` and
     632``arrow-down.gif`` were combined into ``sorting-icons.gif``.
     633
     634If you used those icons to customize the admin then you will want to replace
     635them with your own icons or retrieve them from a previous release.
     636
     637CSS class names in admin forms
     638~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     639
     640To avoid conflicts with other common CSS class names (e.g. "button"), a prefix
     641"field-" has been added to all CSS class names automatically generated from the
     642form field names in the main admin forms, stacked inline forms and tabular
     643inline cells. You will need to take that prefix into account in your custom
     644style sheets or javascript files if you previously used plain field names as
     645selectors for custom styles or javascript transformations.
     646
     647Compatibility with old signed data
     648~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     649
     650Django 1.3 changed the cryptographic signing mechanisms used in a number of
     651places in Django. While Django 1.3 kept fallbacks that would accept hashes
     652produced by the previous methods, these fallbacks are removed in Django 1.4.
     653
     654So, if you upgrade to Django 1.4 directly from 1.2 or earlier, you may
     655lose/invalidate certain pieces of data that have been cryptographically signed
     656using an old method. To avoid this, use Django 1.3 first for a period of time
     657to allow the signed data to expire naturally. The affected parts are detailed
     658below, with 1) the consequences of ignoring this advice and 2) the amount of
     659time you need to run Django 1.3 for the data to expire or become irrelevant.
     660
     661* ``contrib.sessions`` data integrity check
     662
     663  * consequences: the user will be logged out, and session data will be lost.
     664
     665  * time period: defined by :setting:`SESSION_COOKIE_AGE`.
     666
     667* ``contrib.auth`` password reset hash
     668
     669  * consequences: password reset links from before the upgrade will not work.
     670
     671  * time period: defined by :setting:`PASSWORD_RESET_TIMEOUT_DAYS`.
     672
     673Form-related hashes — these are much shorter lifetime, and are relevant only for
     674the short window where a user might fill in a form generated by the pre-upgrade
     675Django instance, and try to submit it to the upgraded Django instance:
     676
     677* ``contrib.comments`` form security hash
     678
     679  * consequences: the user will see a validation error "Security hash failed".
     680
     681  * time period: the amount of time you expect users to take filling out comment
     682    forms.
     683
     684* ``FormWizard`` security hash
     685
     686  * consequences: the user will see an error about the form having expired,
     687    and will be sent back to the first page of the wizard, losing the data
     688    they have entered so far.
     689
     690  * time period: the amount of time you expect users to take filling out the
     691    affected forms.
     692
     693* CSRF check
     694
     695  * Note: This is actually a Django 1.1 fallback, not Django 1.2,
     696    and applies only if you are upgrading from 1.1.
     697
     698  * consequences: the user will see a 403 error with any CSRF protected POST
     699    form.
     700
     701  * time period: the amount of time you expect user to take filling out
     702    such forms.
     703
     704django.contrib.flatpages
     705~~~~~~~~~~~~~~~~~~~~~~~~
     706
     707Starting in the 1.4 release the
     708:class:`~django.contrib.flatpages.middleware.FlatpageFallbackMiddleware` only
     709adds a trailing slash and redirects if the resulting URL refers to an existing
     710flatpage. For example, requesting ``/notaflatpageoravalidurl`` in a previous
     711version would redirect to ``/notaflatpageoravalidurl/``, which would
     712subsequently raise a 404. Requesting ``/notaflatpageoravalidurl`` now will
     713immediately raise a 404. Additionally redirects returned by flatpages are now
     714permanent (301 status code) to match the behavior of the
     715:class:`~django.middleware.common.CommonMiddleware`.
     716
     717Serialization of :class:`~datetime.datetime` and :class:`~datetime.time`
     718~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     719
     720As a consequence of time zone support, and according to the ECMA-262
     721specification, some changes were made to the JSON serializer:
     722
     723- It includes the time zone for aware datetime objects. It raises an exception
     724  for aware time objects.
     725- It includes milliseconds for datetime and time objects. There is still
     726  some precision loss, because Python stores microseconds (6 digits) and JSON
     727  only supports milliseconds (3 digits). However, it's better than discarding
     728  microseconds entirely.
     729
     730The XML serializer was also changed to use the ISO8601 format for datetimes.
     731The letter ``T`` is used to separate the date part from the time part, instead
     732of a space. Time zone information is included in the ``[+-]HH:MM`` format.
     733
     734The serializers will dump datetimes in fixtures with these new formats. They
     735can still load fixtures that use the old format.
     736
     737``supports_timezone`` changed to ``False`` for SQLite
     738~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     739
     740The database feature ``supports_timezone`` used to be ``True`` for SQLite.
     741Indeed, if you saved an aware datetime object, SQLite stored a string that
     742included an UTC offset. However, this offset was ignored when loading the value
     743back from the database, which could corrupt the data.
     744
     745In the context of time zone support, this flag was changed to ``False``, and
     746datetimes are now stored without time zone information in SQLite. When
     747:setting:`USE_TZ` is ``False``, if you attempt to save an aware datetime
     748object, Django raises an exception.
     749
     750Database connection's thread-locality
     751~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     752
     753``DatabaseWrapper`` objects (i.e. the connection objects referenced by
     754``django.db.connection`` and ``django.db.connections["some_alias"]``) used to
     755be thread-local. They are now global objects in order to be potentially shared
     756between multiple threads. While the individual connection objects are now
     757global, the ``django.db.connections`` dictionary referencing those objects is
     758still thread-local. Therefore if you just use the ORM or
     759``DatabaseWrapper.cursor()`` then the behavior is still the same as before.
     760Note, however, that ``django.db.connection`` does not directly reference the
     761default ``DatabaseWrapper`` object anymore and is now a proxy to access that
     762object's attributes. If you need to access the actual ``DatabaseWrapper``
     763object, use ``django.db.connections[DEFAULT_DB_ALIAS]`` instead.
     764
     765As part of this change, all underlying SQLite connections are now enabled for
     766potential thread-sharing (by passing the ``check_same_thread=False`` attribute
     767to pysqlite). ``DatabaseWrapper`` however preserves the previous behavior by
     768disabling thread-sharing by default, so this does not affect any existing
     769code that purely relies on the ORM or on ``DatabaseWrapper.cursor()``.
     770
     771Finally, while it is now possible to pass connections between threads, Django
     772does not make any effort to synchronize access to the underlying backend.
     773Concurrency behavior is defined by the underlying backend implementation.
     774Check their documentation for details.
     775
     776`COMMENTS_BANNED_USERS_GROUP` setting
     777~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     778
     779Django's :doc:`comments app </ref/contrib/comments/index>` has historically
     780supported excluding the comments of a special user group, but we've never
     781documented the feature properly and didn't enforce the exclusion in other parts
     782of the app such as the template tags. To fix this problem, we removed the code
     783from the feed class.
     784
     785If you rely on the feature and want to restore the old behavior, simply use
     786a custom comment model manager to exclude the user group, like this::
     787
     788    from django.conf import settings
     789    from django.contrib.comments.managers import CommentManager
     790
     791    class BanningCommentManager(CommentManager):
     792        def get_query_set(self):
     793            qs = super(BanningCommentManager, self).get_query_set()
     794            if getattr(settings, 'COMMENTS_BANNED_USERS_GROUP', None):
     795                where = ['user_id NOT IN (SELECT user_id FROM auth_user_groups WHERE group_id = %s)']
     796                params = [settings.COMMENTS_BANNED_USERS_GROUP]
     797                qs = qs.extra(where=where, params=params)
     798            return qs
     799
     800Save this model manager in your custom comment app (e.g. in
     801``my_comments_app/managers.py``) and add it your
     802:ref:`custom comment app model <custom-comment-app-api>`::
     803
     804    from django.db import models
     805    from django.contrib.comments.models import Comment
     806
     807    from my_comments_app.managers import BanningCommentManager
     808
     809    class CommentWithTitle(Comment):
     810        title = models.CharField(max_length=300)
     811
     812        objects = BanningCommentManager()
     813
     814For more details, see the documentation about
     815:doc:`customizing the comments framework </ref/contrib/comments/custom>`.
     816
     817`IGNORABLE_404_STARTS` and `IGNORABLE_404_ENDS` settings
     818~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     819
     820Until Django 1.3, it was possible to exclude some URLs from Django's
     821:doc:`404 error reporting</howto/error-reporting>` by adding prefixes to
     822:setting:`IGNORABLE_404_STARTS` and suffixes to :setting:`IGNORABLE_404_ENDS`.
     823
     824In Django 1.4, these two settings are superseded by
     825:setting:`IGNORABLE_404_URLS`, which is a list of compiled regular expressions.
     826Django won't send an email for 404 errors on URLs that match any of them.
     827
     828Furthermore, the previous settings had some rather arbitrary default values::
     829
     830    IGNORABLE_404_STARTS = ('/cgi-bin/', '/_vti_bin', '/_vti_inf')
     831    IGNORABLE_404_ENDS = ('mail.pl', 'mailform.pl', 'mail.cgi', 'mailform.cgi',
     832                          'favicon.ico', '.php')
     833
     834It's not Django's role to decide if your website has a legacy ``/cgi-bin/``
     835section or a ``favicon.ico``. As a consequence, the default values of
     836:setting:`IGNORABLE_404_URLS`, :setting:`IGNORABLE_404_STARTS` and
     837:setting:`IGNORABLE_404_ENDS` are all now empty.
     838
     839If you have customized :setting:`IGNORABLE_404_STARTS` or
     840:setting:`IGNORABLE_404_ENDS`, or if you want to keep the old default value,
     841you should add the following lines in your settings file::
     842
     843    import re
     844    IGNORABLE_404_URLS = (
     845        # for each <prefix> in IGNORABLE_404_STARTS
     846        re.compile(r'^<prefix>'),
     847        # for each <suffix> in IGNORABLE_404_ENDS
     848        re.compile(r'<suffix>$'),
     849    )
     850
     851Don't forget to escape characters that have a special meaning in a regular
     852expression.
     853
     854CSRF protection extended to PUT and DELETE
     855~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     856
     857Previously, Django's :doc:`CSRF protection </ref/contrib/csrf/>` provided
     858protection against only POST requests. Since use of PUT and DELETE methods in
     859AJAX applications is becoming more common, we now protect all methods not
     860defined as safe by :rfc:`2616` i.e. we exempt GET, HEAD, OPTIONS and TRACE, and
     861enforce protection on everything else.
     862
     863If you are using PUT or DELETE methods in AJAX applications, please see the
     864:ref:`instructions about using AJAX and CSRF <csrf-ajax>`.
     865
     866``django.core.template_loaders``
     867~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     868
     869This was an alias to ``django.template.loader`` since 2005, it has been removed
     870without emitting a warning due to the length of the deprecation. If your code
     871still referenced this please use ``django.template.loader`` instead.
     872
     873``django.db.models.fields.URLField.verify_exists``
     874~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     875
     876This functionality has been removed due to intractable performance and
     877security issues. Any existing usage of ``verify_exists`` should be
     878removed.
     879
     880``django.core.files.storage.Storage.open``
     881~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     882
     883The ``open`` method of the base Storage class took an obscure parameter
     884``mixin`` which allowed you to dynamically change the base classes of the
     885returned file object. This has been removed. In the rare case you relied on the
     886`mixin` parameter, you can easily achieve the same by overriding the `open`
     887method, e.g.::
     888
     889    from django.core.files import File
     890    from django.core.files.storage import FileSystemStorage
     891
     892    class Spam(File):
     893        """
     894        Spam, spam, spam, spam and spam.
     895        """
     896        def ham(self):
     897            return 'eggs'
     898
     899    class SpamStorage(FileSystemStorage):
     900        """
     901        A custom file storage backend.
     902        """
     903        def open(self, name, mode='rb'):
     904            return Spam(open(self.path(name), mode))
     905
     906YAML deserializer now uses ``yaml.safe_load``
     907~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     908
     909``yaml.load`` is able to construct any Python object, which may trigger
     910arbitrary code execution if you process a YAML document that comes from an
     911untrusted source. This feature isn't necessary for Django's YAML deserializer,
     912whose primary use is to load fixtures consisting of simple objects. Even though
     913fixtures are trusted data, for additional security, the YAML deserializer now
     914uses ``yaml.safe_load``.
     915
     916Features deprecated in 1.4
     917==========================
     918
     919Old styles of calling ``cache_page`` decorator
     920~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     921
     922Some legacy ways of calling :func:`~django.views.decorators.cache.cache_page`
     923have been deprecated, please see the docs for the correct way to use this
     924decorator.
     925
     926Support for PostgreSQL versions older than 8.2
     927~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     928
     929Django 1.3 dropped support for PostgreSQL versions older than 8.0 and the
     930relevant documents suggested to use a recent version because of performance
     931reasons but more importantly because end of the upstream support periods for
     932releases 8.0 and 8.1 was near (November 2010).
     933
     934Django 1.4 takes that policy further and sets 8.2 as the minimum PostgreSQL
     935version it officially supports.
     936
     937Request exceptions are now always logged
     938~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     939
     940When :doc:`logging support </topics/logging/>` was added to Django in 1.3, the
     941admin error email support was moved into the
     942:class:`django.utils.log.AdminEmailHandler`, attached to the
     943``'django.request'`` logger. In order to maintain the established behavior of
     944error emails, the ``'django.request'`` logger was called only when
     945:setting:`DEBUG` was ``False``.
     946
     947To increase the flexibility of error logging for requests, the
     948``'django.request'`` logger is now called regardless of the value of
     949:setting:`DEBUG`, and the default settings file for new projects now includes a
     950separate filter attached to :class:`django.utils.log.AdminEmailHandler` to
     951prevent admin error emails in ``DEBUG`` mode::
     952
     953   'filters': {
     954        'require_debug_false': {
     955            '()': 'django.utils.log.RequireDebugFalse'
     956        }
     957    },
     958    'handlers': {
     959        'mail_admins': {
     960            'level': 'ERROR',
     961            'filters': ['require_debug_false'],
     962            'class': 'django.utils.log.AdminEmailHandler'
     963        }
     964    },
     965
     966If your project was created prior to this change, your :setting:`LOGGING`
     967setting will not include this new filter. In order to maintain
     968backwards-compatibility, Django will detect that your ``'mail_admins'`` handler
     969configuration includes no ``'filters'`` section, and will automatically add
     970this filter for you and issue a pending-deprecation warning. This will become a
     971deprecation warning in Django 1.5, and in Django 1.6 the
     972backwards-compatibility shim will be removed entirely.
     973
     974The existence of any ``'filters'`` key under the ``'mail_admins'`` handler will
     975disable this backward-compatibility shim and deprecation warning.
     976
     977``django.conf.urls.defaults``
     978~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     979
     980Until Django 1.3 the functions :func:`~django.conf.urls.include`,
     981:func:`~django.conf.urls.patterns` and :func:`~django.conf.urls.url` plus
     982:data:`~django.conf.urls.handler404`, :data:`~django.conf.urls.handler500`
     983were located in a ``django.conf.urls.defaults`` module.
     984
     985Starting with Django 1.4 they are now available in :mod:`django.conf.urls`.
     986
     987``django.contrib.databrowse``
     988~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     989
     990Databrowse has not seen active development for some time, and this does not show
     991any sign of changing. There had been a suggestion for a `GSOC project`_ to
     992integrate the functionality of databrowse into the admin, but no progress was
     993made. While Databrowse has been deprecated, an enhancement of
     994``django.contrib.admin`` providing a similar feature set is still possible.
     995
     996.. _GSOC project: https://code.djangoproject.com/wiki/SummerOfCode2011#Integratedatabrowseintotheadmin
     997
     998The code that powers Databrowse is licensed under the same terms as Django
     999itself, and so is available to be adopted by an individual or group as
     1000a third-party project.
     1001
     1002``django.core.management.setup_environ``
     1003~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     1004
     1005This function temporarily modified ``sys.path`` in order to make the parent
     1006"project" directory importable under the old flat :djadmin:`startproject`
     1007layout. This function is now deprecated, as its path workarounds are no longer
     1008needed with the new ``manage.py`` and default project layout.
     1009
     1010This function was never documented or part of the public API, but was widely
     1011recommended for use in setting up a "Django environment" for a user script.
     1012These uses should be replaced by setting the ``DJANGO_SETTINGS_MODULE``
     1013environment variable or using :func:`django.conf.settings.configure`.
     1014
     1015``django.core.management.execute_manager``
     1016~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     1017
     1018This function was previously used by ``manage.py`` to execute a management
     1019command. It is identical to
     1020``django.core.management.execute_from_command_line``, except that it first
     1021calls ``setup_environ``, which is now deprecated. As such, ``execute_manager``
     1022is also deprecated; ``execute_from_command_line`` can be used instead. Neither
     1023of these functions is documented as part of the public API, but a deprecation
     1024path is needed due to use in existing ``manage.py`` files.
     1025
     1026``is_safe`` and ``needs_autoescape`` attributes of template filters
     1027~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     1028
     1029Two flags, ``is_safe`` and ``needs_autoescape``, define how each template filter
     1030interacts with Django's auto-escaping behavior. They used to be attributes of
     1031the filter function::
     1032
     1033    @register.filter
     1034    def noop(value):
     1035        return value
     1036    noop.is_safe = True
     1037
     1038However, this technique caused some problems in combination with decorators,
     1039especially :func:`@stringfilter <django.template.defaultfilters.stringfilter>`.
     1040Now, the flags are keyword arguments of :meth:`@register.filter
     1041<django.template.Library.filter>`::
     1042
     1043    @register.filter(is_safe=True)
     1044    def noop(value):
     1045        return value
     1046
     1047See :ref:`filters and auto-escaping <filters-auto-escaping>` for more information.
     1048
     1049Session cookies now have the ``httponly`` flag by default
     1050~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     1051
     1052Session cookies now include the ``httponly`` attribute by default to
     1053help reduce the impact of potential XSS attacks. For strict backwards
     1054compatibility, use ``SESSION_COOKIE_HTTPONLY = False`` in your settings file.
     1055
     1056Wildcard expansion of application names in `INSTALLED_APPS`
     1057~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     1058
     1059Until Django 1.3, :setting:`INSTALLED_APPS` accepted wildcards in application
     1060names, like ``django.contrib.*``. The expansion was performed by a
     1061filesystem-based implementation of ``from <package> import *``. Unfortunately,
     1062`this can't be done reliably`_.
     1063
     1064This behavior was never documented. Since it is un-pythonic and not obviously
     1065useful, it was removed in Django 1.4. If you relied on it, you must edit your
     1066settings file to list all your applications explicitly.
     1067
     1068.. _this can't be done reliably: http://docs.python.org/tutorial/modules.html#importing-from-a-package
     1069
     1070``HttpRequest.raw_post_data`` renamed to ``HttpRequest.body``
     1071~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     1072
     1073This attribute was confusingly named ``HttpRequest.raw_post_data``, but it
     1074actually provided the body of the HTTP request. It's been renamed to
     1075``HttpRequest.body``, and ``HttpRequest.raw_post_data`` has been deprecated.
     1076
     1077
     1078The Django 1.4 roadmap
     1079======================
     1080
     1081Before the final Django 1.4 release, several other preview/development releases
     1082will be made available. The current schedule consists of at least the following:
     1083
     1084* Week of **January 30, 2012**: First Django 1.4 beta release; final
     1085  feature freeze for Django 1.4.
     1086
     1087* Week of **February 27, 2012**: First Django 1.4 release
     1088  candidate; string freeze for translations.
     1089
     1090* Week of **March 5, 2012**: Django 1.4 final release.
     1091
     1092If necessary, additional alpha, beta or release-candidate packages
     1093will be issued prior to the final 1.4 release. Django 1.4 will be
     1094released approximately one week after the final release candidate.
     1095
     1096What you can do to help
     1097=======================
     1098
     1099In order to provide a high-quality 1.4 release, we need your help. Although this
     1100beta release is, again, *not* intended for production use, you can help the
     1101Django team by trying out the beta codebase in a safe test environment and
     1102reporting any bugs or issues you encounter. The Django ticket tracker is the
     1103central place to search for open issues:
     1104
     1105* http://code.djangoproject.com/timeline
     1106
     1107Please open new tickets if no existing ticket corresponds to a problem you're
     1108running into.
     1109
     1110Additionally, discussion of Django development, including progress toward the
     11111.3 release, takes place daily on the django-developers mailing list:
     1112
     1113* http://groups.google.com/group/django-developers
     1114
     1115... and in the ``#django-dev`` IRC channel on ``irc.freenode.net``. If you're
     1116interested in helping out with Django's development, feel free to join the
     1117discussions there.
     1118
     1119Django's online documentation also includes pointers on how to contribute to
     1120Django:
     1121
     1122* :doc:`How to contribute to Django </internals/contributing/index>`
     1123
     1124Contributions on any level -- developing code, writing documentation or simply
     1125triaging tickets and helping to test proposed bugfixes -- are always welcome and
     1126appreciated.
     1127
     1128Several development sprints will also be taking place before the 1.4
     1129release; these will typically be announced in advance on the
     1130django-developers mailing list, and anyone who wants to help is
     1131welcome to join in.
  • docs/releases/index.txt

    diff --git a/docs/releases/index.txt b/docs/releases/index.txt
    index f7b04d4..72b6d8b 100644
    a b notes.  
    8181.. toctree::
    8282   :maxdepth: 1
    8383
     84   1.4-beta-1
    8485   1.4-alpha-1
    8586   1.3-beta-1
    8687   1.3-alpha-1
Back to Top