Release Notes
(From: https://docs.djangoproject.com/en/1.11/releases/1.11/)
Welcome to Django 1.11!
These release notes cover the new features, as well as some backwards incompatible changes you’ll want to be aware of when upgrading from Django 1.10 or older versions. We’ve begun the deprecation process for some features.
See the Upgrading Django to a newer version guide if you’re updating an existing project.
Django 1.11 is designated as a long-term support release. It will receive security updates for at least three years after its release. Support for the previous LTS, Django 1.8, will end in April 2018.
Python compatibility¶
Django 1.11 requires Python 2.7, 3.4, 3.5, or 3.6. Django 1.11 is the first release to support Python 3.6. We highly recommend and only officially support the latest release of each series.
The Django 1.11.x series is the last to support Python 2. The next major release, Django 2.0, will only support Python 3.5+.
Deprecating warnings are no longer loud by default - PLAT-1350Getting issue details... STATUS ¶
Unlike older versions of Django, Django’s own deprecation warnings are no longer displayed by default. This is consistent with Python’s default behavior.
This change allows third-party apps to support both Django 1.11 LTS and Django 1.8 LTS without having to add code to avoid deprecation warnings.
Following the release of Django 2.0, we suggest that third-party app authors drop support for all versions of Django prior to 1.11. At that time, you should be able run your package’s tests using python -Wd
so that deprecation warnings do appear. After making the deprecation warning fixes, your app should be compatible with Django 2.0.
What’s new in Django 1.11¶
Class-based model indexes¶
The new django.db.models.indexes
module contains classes which ease creating database indexes. Indexes are added to models using the Meta.indexes
option.
The Index
class creates a b-tree index, as if you used db_index
on the model field or index_together
on the model Meta
class. It can be subclassed to support different index types, such as GinIndex
. It also allows defining the order (ASC/DESC) for the columns of the index.
Template-based widget rendering¶
To ease customizing widgets, form widget rendering is now done using the template system rather than in Python. See The form rendering API.
You may need to adjust any custom widgets that you’ve written for a few backwards incompatible changes.
Subquery
expressions¶
The new Subquery
and Exists
database expressions allow creating explicit subqueries. Subqueries may refer to fields from the outer queryset using the OuterRef
class.
Minor features¶
django.contrib.admin
¶
ModelAdmin.date_hierarchy
can now reference fields across relations.- The new
ModelAdmin.get_exclude()
hook allows specifying the exclude fields based on the request or model instance. - The
popup_response.html
template can now be overridden per app, per model, or by setting theModelAdmin.popup_response_template
attribute.
django.contrib.auth
¶
- The default iteration count for the PBKDF2 password hasher is increased by 20%.
- The
LoginView
andLogoutView
class-based views supersede the deprecatedlogin()
andlogout()
function-based views. - The
PasswordChangeView
,PasswordChangeDoneView
,PasswordResetView
,PasswordResetDoneView
,PasswordResetConfirmView
, andPasswordResetCompleteView
class-based views supersede the deprecatedpassword_change()
,password_change_done()
,password_reset()
,password_reset_done()
,password_reset_confirm()
, andpassword_reset_complete()
function-based views. - The new
post_reset_login
attribute forPasswordResetConfirmView
allows automatically logging in a user after a successful password reset. If you have multipleAUTHENTICATION_BACKENDS
configured, use thepost_reset_login_backend
attribute to choose which one to use. - To avoid the possibility of leaking a password reset token via the HTTP Referer header (for example, if the reset page includes a reference to CSS or JavaScript hosted on another domain), the
PasswordResetConfirmView
(but not the deprecatedpassword_reset_confirm()
function-based view) stores the token in a session and redirects to itself to present the password change form to the user without the token in the URL. update_session_auth_hash()
now rotates the session key to allow a password change to invalidate stolen session cookies.- The new
success_url_allowed_hosts
attribute forLoginView
andLogoutView
allows specifying a set of hosts that are safe for redirecting after login and logout. - Added password validators
help_text
toUserCreationForm
. - The
HttpRequest
is now passed toauthenticate()
which in turn passes it to the authentication backend if it accepts arequest
argument. - The
user_login_failed()
signal now receives arequest
argument. PasswordResetForm
supports custom user models that use an email field named something other than'email'
. SetCustomUser.EMAIL_FIELD
to the name of the field.get_user_model()
can now be called at import time, even in modules that define models.
django.contrib.contenttypes
¶
- When stale content types are detected in the
remove_stale_contenttypes
command, there’s now a list of related objects such asauth.Permission
s that will also be deleted. Previously, only the content types were listed (and this prompt was aftermigrate
rather than in a separate command).
django.contrib.gis
¶
- The new
GEOSGeometry.from_gml()
andOGRGeometry.from_gml()
methods allow creating geometries from GML. - Added support for the
dwithin
lookup on SpatiaLite. - The
Area
function,Distance
function, and distance lookups now work with geodetic coordinates on SpatiaLite. - The OpenLayers-based form widgets now use
OpenLayers.js
fromhttps://cdnjs.cloudflare.com
which is more suitable for production use than the the oldhttp://openlayers.org
source. They are also updated to use OpenLayers 3. - PostGIS migrations can now change field dimensions.
- Added the ability to pass the size, shape, and offset parameter when creating
GDALRaster
objects. - Added SpatiaLite support for the
IsValid
function,MakeValid
function, andisvalid
lookup. - Added Oracle support for the
AsGML
function,BoundingCircle
function,IsValid
function, andisvalid
lookup.
django.contrib.postgres
¶
- The new
distinct
argument forStringAgg
determines if concatenated values will be distinct. - The new
GinIndex
andBrinIndex
classes allow creatingGIN
andBRIN
indexes in the database. JSONField
accepts a newencoder
parameter to specify a custom class to encode data types not supported by the standard encoder.- The new
CIText
mixin andCITextExtension
migration operation allow using PostgreSQL’scitext
extension for case-insensitive lookups. Three fields are provided:CICharField
,CIEmailField
, andCITextField
. - The new
JSONBAgg
allows aggregating values as a JSON array. - The
HStoreField
(model field) andHStoreField
(form field) allow storing null values.
Cache¶
- Memcached backends now pass the contents of
OPTIONS
as keyword arguments to the client constructors, allowing for more advanced control of client behavior. See the cache arguments documentation for examples. - Memcached backends now allow defining multiple servers as a comma-delimited string in
LOCATION
, for convenience with third-party services that use such strings in environment variables.
CSRF¶
- Added the
CSRF_USE_SESSIONS
setting to allow storing the CSRF token in the user’s session rather than in a cookie.
Database backends¶
- Added the
skip_locked
argument toQuerySet.select_for_update()
on PostgreSQL 9.5+ and Oracle to execute queries withFOR UPDATE SKIP LOCKED
. - Added the
TEST['TEMPLATE']
setting to let PostgreSQL users specify a template for creating the test database. QuerySet.iterator()
now uses server-side cursors on PostgreSQL. This feature transfers some of the worker memory load (used to hold query results) to the database and might increase database memory usage.- Added MySQL support for the
'isolation_level'
option inOPTIONS
to allow specifying the transaction isolation level. To avoid possible data loss, it’s recommended to switch from MySQL’s default level, repeatable read, to read committed. - Added support for
cx_Oracle
5.3.
Email¶
- Added the
EMAIL_USE_LOCALTIME
setting to allow sending SMTP date headers in the local time zone rather than in UTC. EmailMessage.attach()
andattach_file()
now fall back to MIME typeapplication/octet-stream
when binary content that can’t be decoded as UTF-8 is specified for atext/*
attachment.
File Storage¶
- To make it wrappable by
io.TextIOWrapper
,File
now has thereadable()
,writable()
, andseekable()
methods.
Forms¶
- The new
CharField.empty_value
attribute allows specifying the Python value to use to represent “empty”. - The new
Form.get_initial_for_field()
method returns initial data for a form field.
Internationalization¶
- Number formatting and the
NUMBER_GROUPING
setting support non-uniform digit grouping.
Management Commands¶
- The new
loaddata --exclude
option allows excluding models and apps while loading data from fixtures. - The new
diffsettings --default
option allows specifying a settings module other than Django’s default settings to compare against. app_label
s arguments now limit theshowmigrations --plan
output.
Migrations¶
- Added support for serialization of
uuid.UUID
objects.
Models¶
- Added support for callable values in the
defaults
argument ofQuerySet.update_or_create()
andget_or_create()
. ImageField
now has a defaultvalidate_image_file_extension
validator. (This validator moved to the form field in Django 1.11.2.)- Added support for time truncation to
Trunc
functions. - Added the
ExtractWeek
function to extract the week fromDateField
andDateTimeField
and exposed it through theweek
lookup. - Added the
TruncTime
function to truncateDateTimeField
to its time component and exposed it through thetime
lookup. - Added support for expressions in
QuerySet.values()
andvalues_list()
. - Added support for query expressions on lookups that take multiple arguments, such as
range
. - You can now use the
unique=True
option withFileField
. - Added the
nulls_first
andnulls_last
parameters toExpression.asc()
anddesc()
to control the ordering of null values. - The new
F
expressionbitleftshift()
andbitrightshift()
methods allow bitwise shift operations. - Added
QuerySet.union()
,intersection()
, anddifference()
.
Requests and Responses¶
- Added
QueryDict.fromkeys()
. CommonMiddleware
now sets theContent-Length
response header for non-streaming responses.- Added the
SECURE_HSTS_PRELOAD
setting to allow appending thepreload
directive to theStrict-Transport-Security
header. ConditionalGetMiddleware
now adds theETag
header to responses.
Serialization¶
- The new
django.core.serializers.base.Serializer.stream_class
attribute allows subclasses to customize the default stream. - The encoder used by the JSON serializer can now be customized by passing a
cls
keyword argument to theserializers.serialize()
function. DjangoJSONEncoder
now serializestimedelta
objects (used byDurationField
).
Templates¶
mark_safe()
can now be used as a decorator.- The
Jinja2
template backend now supports context processors by setting the'context_processors'
option inOPTIONS
. - The
regroup
tag now returnsnamedtuple
s instead of dictionaries so you can unpack the group object directly in a loop, e.g.{% forgrouper, list in regrouped %}
. - Added a
resetcycle
template tag to allow resetting the sequence of thecycle
template tag. - You can now specify specific directories for a particular
filesystem.Loader
.
Tests¶
- Added
DiscoverRunner.get_test_runner_kwargs()
to allow customizing the keyword arguments passed to the test runner. - Added the
test --debug-mode
option to help troubleshoot test failures by setting theDEBUG
setting toTrue
. - The new
django.test.utils.setup_databases()
(moved fromdjango.test.runner
) andteardown_databases()
functions make it easier to build custom test runners. - Added support for
unittest.TestCase.subTest()
’s when using thetest --parallel
option. DiscoverRunner
now runs the system checks at the start of a test run. Override theDiscoverRunner.run_checks()
method if you want to disable that.
Validators¶
- Added
FileExtensionValidator
to validate file extensions andvalidate_image_file_extension
to validate image files.
Backwards incompatible changes in 1.11¶
django.contrib.gis
¶
- To simplify the codebase and because it’s easier to install than when
contrib.gis
was first released, GDAL is now a required dependency for GeoDjango. In older versions, it’s only required for SQLite. contrib.gis.maps
is removed as it interfaces with a retired version of the Google Maps API and seems to be unmaintained. If you’re using it, let us know.- The
GEOSGeometry
equality operator now also compares SRID. - The OpenLayers-based form widgets now use OpenLayers 3, and the
gis/openlayers.html
andgis/openlayers-osm.html
templates have been updated. Check your project if you subclass these widgets or extend the templates. Also, the new widgets work a bit differently than the old ones. Instead of using a toolbar in the widget, you click to draw, click and drag to move the map, and click and drag a point/vertex/corner to move it. - Support for SpatiaLite < 4.0 is dropped.
- Support for GDAL 1.7 and 1.8 is dropped.
- The widgets in
contrib.gis.forms.widgets
and the admin’sOpenLayersWidget
use the form rendering API rather thanloader.render_to_string()
. If you’re using a custom widget template, you’ll need to be sure your form renderer can locate it. For example, you could use theTemplatesSetting
renderer.
django.contrib.staticfiles
¶
collectstatic
may now fail during post-processing - PLAT-1363Getting issue details... STATUS when using a hashed static files storage if a reference loop exists (e.g.'foo.css'
references'bar.css'
which itself references'foo.css'
) or if the chain of files referencing other files is too deep to resolve in several passes. In the latter case, increase the number of passes usingManifestStaticFilesStorage.max_post_process_passes
.- When using
ManifestStaticFilesStorage
, static files not found in the manifest at runtime now raise aValueError
instead of returning an unchanged path. You can revert to the old behavior by settingManifestStaticFilesStorage.manifest_strict
toFalse
.
Database backend API¶
- The
DatabaseOperations.time_trunc_sql()
method is added to supportTimeField
truncation. It accepts alookup_type
andfield_name
arguments and returns the appropriate SQL to truncate the given time fieldfield_name
to a time object with only the given specificity. Thelookup_type
argument can be either'hour'
,'minute'
, or'second'
. - The
DatabaseOperations.datetime_cast_time_sql()
method is added to support thetime
lookup. It accepts afield_name
andtzname
arguments and returns the SQL necessary to cast a datetime value to time value. - To enable
FOR UPDATE SKIP LOCKED
support, setDatabaseFeatures.has_select_for_update_skip_locked = True
. - The new
DatabaseFeatures.supports_index_column_ordering
attribute specifies if a database allows defining ordering for columns in indexes. The default value isTrue
and theDatabaseIntrospection.get_constraints()
method should include an'orders'
key in each of the returned dictionaries with a list of'ASC'
and/or'DESC'
values corresponding to the the ordering of each column in the index. inspectdb
no longer callsDatabaseIntrospection.get_indexes()
which is deprecated. Custom database backends should ensure all types of indexes are returned byDatabaseIntrospection.get_constraints()
.- Renamed the
ignores_quoted_identifier_case
feature toignores_table_name_case
to more accurately reflect how it is used. - The
name
keyword argument is added to theDatabaseWrapper.create_cursor(self, name=None)
method to allow usage of server-side cursors on backends that support it.
Dropped support for PostgreSQL 9.2 and PostGIS 2.0¶
Upstream support for PostgreSQL 9.2 ends in September 2017. As a consequence, Django 1.11 sets PostgreSQL 9.3 as the minimum version it officially supports.
Support for PostGIS 2.0 is also removed as PostgreSQL 9.2 is the last version to support it.
Also, the minimum supported version of psycopg2 is increased from 2.4.5 to 2.5.4.
LiveServerTestCase
binds to port zero
-
PLAT-1367Getting issue details...
STATUS
¶
Rather than taking a port range and iterating to find a free port, LiveServerTestCase
binds to port zero and relies on the operating system to assign a free port. The DJANGO_LIVE_TEST_SERVER_ADDRESS
environment variable is no longer used, and as it’s also no longer used, the manage.py test --liveserver
option is removed.
If you need to bind LiveServerTestCase
to a specific port, use the port
attribute added in Django 1.11.2.
Protection against insecure redirects in django.contrib.auth
and i18n
views
-
PLAT-1369Getting issue details...
STATUS
¶
LoginView
, LogoutView
(and the deprecated function-based equivalents), and set_language()
protect users from being redirected to non-HTTPS next
URLs when the app is running over HTTPS.
QuerySet.get_or_create()
and update_or_create()
validate arguments¶
To prevent typos from passing silently, get_or_create()
and update_or_create()
check that their arguments are model fields. This should be backwards-incompatible only in the fact that it might expose a bug in your project.
pytz
is a required dependency and support for settings.TIME_ZONE = None
is removed
-
PLAT-1371Getting issue details...
STATUS
¶
To simplify Django’s timezone handling, pytz
is now a required dependency. It’s automatically installed along with Django.
Support for settings.TIME_ZONE = None
is removed as the behavior isn’t commonly used and is questionably useful. If you want to automatically detect the timezone based on the system timezone, you can use tzlocal:
from tzlocal import get_localzone TIME_ZONE = get_localzone().zone
This works similar to settings.TIME_ZONE = None
except that it also sets os.environ['TZ']
. Let us know if there’s a use case where you find you can’t adapt your code to set a TIME_ZONE
.
HTML changes in admin templates - PLAT-1372Getting issue details... STATUS ¶
<p class="help">
is replaced with a <div>
tag to allow including lists inside help text.
Read-only fields are wrapped in <div class="readonly">...</div>
instead of <p>...</p>
to allow any kind of HTML as the field’s content.
Changes due to the introduction of template-based widget rendering - PLAT-1373Getting issue details... STATUS ¶
Some undocumented classes in django.forms.widgets
are removed:
SubWidget
RendererMixin
,ChoiceFieldRenderer
,RadioFieldRenderer
,CheckboxFieldRenderer
ChoiceInput
,RadioChoiceInput
,CheckboxChoiceInput
The Widget.format_output()
method is removed. Use a custom widget template instead.
Some widget values, such as <select>
options, are now localized if settings.USE_L10N=True
. You could revert to the old behavior with custom widget templates that uses the localize
template tag to turn off localization.
django.template.backends.django.Template.render()
prohibits non-dict context
-
PLAT-1376Getting issue details...
STATUS
¶
For compatibility with multiple template engines, django.template.backends.django.Template.render()
(returned from high-level template loader APIs such as loader.get_template()
) must receive a dictionary of context rather than Context
or RequestContext
. If you were passing either of the two classes, pass a dictionary instead – doing so is backwards-compatible with older versions of Django.
Model state changes in migration operations¶
To improve the speed of applying migrations, rendering of related models is delayed until an operation that needs them (e.g. RunPython
). If you have a custom operation that works with model classes or model instances from the from_state
argument in database_forwards()
or database_backwards()
, you must render model states using the clear_delayed_apps_cache()
method as described in writing your own migration operation.
Miscellaneous¶
- If no items in the feed have a
pubdate
orupdateddate
attribute,SyndicationFeed.latest_post_date()
now returns the current UTC date/time, instead of a datetime without any timezone information. - CSRF failures are logged to the
django.security.csrf
logger instead ofdjango.request
. ALLOWED_HOSTS
validation is no longer disabled when running tests. If your application includes tests with custom host names, you must include those host names inALLOWED_HOSTS
. See Tests and multiple host names.- Using a foreign key’s id (e.g.
'field_id'
) inModelAdmin.list_display
displays the related object’s ID. Remove the_id
suffix if you want the old behavior of the string representation of the object. - In model forms,
CharField
withnull=True
now savesNULL
for blank values instead of empty strings. - On Oracle,
Model.validate_unique()
no longer checks empty strings for uniqueness as the database interprets the value asNULL
. - If you subclass
AbstractUser
and overrideclean()
, be sure it callssuper()
.BaseUserManager.normalize_email()
is called in a newAbstractUser.clean()
method so that normalization is applied in cases like model form validation. EmailField
andURLField
no longer accept thestrip
keyword argument. Remove it because it doesn’t have an effect in older versions of Django as these fields always strip whitespace.- The
checked
andselected
attribute rendered by form widgets now uses HTML5 boolean syntax rather than XHTML’schecked='checked'
andselected='selected'
. RelatedManager.add()
,remove()
,clear()
, andset()
now clear theprefetch_related()
cache.- To prevent possible loss of saved settings,
setup_test_environment()
now raises an exception if called a second time before callingteardown_test_environment()
. - The undocumented
DateTimeAwareJSONEncoder
alias forDjangoJSONEncoder
(renamed in Django 1.0) is removed. - The
cached template loader
is now enabled ifDEBUG
isFalse
andOPTIONS['loaders']
isn’t specified. This could be backwards-incompatible if you have some template tags that aren’t thread safe. - The prompt for stale content type deletion no longer occurs after running the
migrate
command. Use the newremove_stale_contenttypes
command instead. - The admin’s widget for
IntegerField
usestype="number"
rather thantype="text"
. - Conditional HTTP headers are now parsed and compared according to the RFC 7232 Conditional Requests specification rather than the older RFC 2616.
patch_response_headers()
no longer adds aLast-Modified
header. According to the RFC 7234#section-4.2.2, this header is useless alongside other caching headers that provide an explicit expiration time, e.g.Expires
orCache-Control
.UpdateCacheMiddleware
andadd_never_cache_headers()
callpatch_response_headers()
and therefore are also affected by this change.- In the admin templates,
<p class="help">
is replaced with a<div>
tag to allow including lists inside help text. ConditionalGetMiddleware
no longer sets theDate
header as Web servers set that header. It also no longer sets theContent-Length
header as this is now done byCommonMiddleware
.get_model()
andget_models()
now raiseAppRegistryNotReady
if they’re called before models of all applications have been loaded. Previously they only required the target application’s models to be loaded and thus could return models without all their relations set up. If you need the old behavior ofget_model()
, set therequire_ready
argument toFalse
.- The unused
BaseCommand.can_import_settings
attribute is removed. - The undocumented
django.utils.functional.lazy_property
is removed. - For consistency with non-multipart requests,
MultiPartParser.parse()
now leavesrequest.POST
immutable. If you’re modifying thatQueryDict
, you must now first copy it, e.g.request.POST.copy()
. - Support for
cx_Oracle
< 5.2 is removed. - Support for IPython < 1.0 is removed from the
shell
command. - The signature of private API
Widget.build_attrs()
changed fromextra_attrs=None, **kwargs
tobase_attrs,extra_attrs=None
. - File-like objects (e.g.,
StringIO
andBytesIO
) uploaded to anImageField
using the test client now require aname
attribute with a value that passes thevalidate_image_file_extension
validator. See the note inClient.post()
.
Features deprecated in 1.11¶
models.permalink()
decorator¶
Use django.urls.reverse()
instead. For example:
from django.db import models class MyModel(models.Model): ... @models.permalink def url(self): return ('guitarist_detail', [self.slug])
becomes:
from django.db import models from django.urls import reverse class MyModel(models.Model): ... def url(self): return reverse('guitarist_detail', args=[self.slug])
Miscellaneous¶
contrib.auth
’slogin()
andlogout()
function-based views are deprecated in favor of new class-based viewsLoginView
andLogoutView
.- The unused
extra_context
parameter ofcontrib.auth.views.logout_then_login()
is deprecated. contrib.auth
’spassword_change()
,password_change_done()
,password_reset()
,password_reset_done()
,password_reset_confirm()
, andpassword_reset_complete()
function-based views are deprecated in favor of new class-based viewsPasswordChangeView
,PasswordChangeDoneView
,PasswordResetView
,PasswordResetDoneView
,PasswordResetConfirmView
, andPasswordResetCompleteView
.django.test.runner.setup_databases()
is moved todjango.test.utils.setup_databases()
. The old location is deprecated.django.utils.translation.string_concat()
is deprecated in favor ofdjango.utils.text.format_lazy()
.string_concat(*strings)
can be replaced byformat_lazy('{}' * len(strings), *strings)
.- For the
PyLibMCCache
cache backend, passingpylibmc
behavior settings as top-level attributes ofOPTIONS
is deprecated. Set them under abehaviors
key withinOPTIONS
instead. - The
host
parameter ofdjango.utils.http.is_safe_url()
is deprecated in favor of the newallowed_hosts
parameter. - Silencing exceptions raised while rendering the
{% include %}
template tag is deprecated as the behavior is often more confusing than helpful. In Django 2.1, the exception will be raised. DatabaseIntrospection.get_indexes()
is deprecated in favor ofDatabaseIntrospection.get_constraints()
.authenticate()
now passes arequest
argument to theauthenticate()
method of authentication backends. Support for methods that don’t acceptrequest
as the first positional argument will be removed in Django 2.1.- The
USE_ETAGS
setting is deprecated in favor ofConditionalGetMiddleware
which now adds theETag
header to responses regardless of the setting.CommonMiddleware
anddjango.utils.cache.patch_response_headers()
will no longer set ETags when the deprecation ends. Model._meta.has_auto_field
is deprecated in favor of checking ifModel._meta.auto_field is not None
.- Using regular expression groups with
iLmsu#
inurl()
is deprecated. The only group that’s useful is(?i)
for case-insensitive URLs, however, case-insensitive URLs aren’t a good practice because they create multiple entries for search engines, for example. An alternative solution could be to create ahandler404
that looks for uppercase characters in the URL and redirects to a lowercase equivalent. - The
renderer
argument is added to theWidget.render()
method. Methods that don’t accept that argument will work through a deprecation period.