September 1, 2020
Django 3.1.1 fixes two security issues and several bugs in 3.1.
On Python 3.7+, FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not
applied to intermediate-level directories created in the process of uploading
files and to intermediate-level collected static directories when using the
collectstatic management command.
You should review and manually fix permissions on existing intermediate-level directories.
On Python 3.7+, the intermediate-level directories of the file system cache had
the system’s standard umask rather than 0o077 (no group or others
permissions).
Fixed wrapping of translated action labels in the admin’s navigation sidebar for East Asian languages (#31853).
Fixed wrapping of long model names in the admin’s navigation sidebar (#31854).
Fixed encoding session data while upgrading multiple instances of the same project to Django 3.1 (#31864).
Adjusted admin’s navigation sidebar template to reduce debug logging when rendering (#31865).
Fixed a data loss possibility in the
select_for_update(). When using
related fields pointing to a proxy model in the of argument, the
corresponding model was not locked (#31866).
Fixed a data loss possibility, following a regression in Django 2.0, when copying model instances with a cached fields value (#31863).
Fixed a regression in Django 3.1 that caused a crash when decoding an invalid session data (#31895).
Reverted a deprecation in Django 3.1 that caused a crash when passing
deprecated keyword arguments to a queryset in
TemplateView.get_context_data() (#31877).
Enforced thread sensitivity of the MiddlewareMixin.process_request() and process_response() hooks
when in an async context (#31905).
Fixed __in lookup on key transforms for
JSONField with MariaDB, MySQL, Oracle, and SQLite
(#31936).
Fixed a regression in Django 3.1 that caused permission errors in
CommonPasswordValidator and settings.py generated by the
startproject command, when user didn’t have permissions to all
intermediate directories in a Django installation path (#31912).
Fixed detecting an async get_response callable in various builtin
middlewares (#31928).
Fixed a QuerySet.order_by() crash on PostgreSQL when ordering and
grouping by JSONField with a custom
decoder (#31956). As a
consequence, fetching a JSONField with raw SQL now returns a string
instead of preloaded data. You will need to explicitly call json.loads()
in such cases.
Fixed a QuerySet.delete() crash on MySQL, following a performance
regression in Django 3.1 on MariaDB 10.3.2+, when filtering against an
aggregate function (#31965).
Fixed a django.contrib.admin.EmptyFieldListFilter crash when using on
reverse relations (#31952).
Prevented content overflowing in the admin changelist view when the navigation sidebar is enabled (#31901).
Dec 25, 2023