2009-07-21 03:51:40 +02:00
|
|
|
===========================
|
|
|
|
Django Deprecation Timeline
|
|
|
|
===========================
|
|
|
|
|
|
|
|
This document outlines when various pieces of Django will be removed, following
|
|
|
|
their deprecation, as per the :ref:`Django deprecation policy
|
|
|
|
<internal-release-deprecation-policy>`
|
|
|
|
|
|
|
|
* 1.3
|
|
|
|
* ``AdminSite.root()``. This release will remove the old method for
|
|
|
|
hooking up admin URLs. This has been deprecated since the 1.1
|
|
|
|
release.
|
|
|
|
|
2010-01-28 02:47:23 +01:00
|
|
|
* Authentication backends need to define the boolean attributes
|
|
|
|
``supports_object_permissions`` and ``supports_anonymous_user``.
|
|
|
|
The old backend style is deprecated since the 1.2 release.
|
2009-12-10 02:05:35 +01:00
|
|
|
|
2010-05-05 18:06:39 +02:00
|
|
|
* The :mod:`django.contrib.gis.db.backend` module, including the
|
|
|
|
``SpatialBackend`` interface, is deprecated since the 1.2 release.
|
|
|
|
|
Fixed #9977 - CsrfMiddleware gets template tag added, session dependency removed, and turned on by default.
This is a large change to CSRF protection for Django. It includes:
* removing the dependency on the session framework.
* deprecating CsrfResponseMiddleware, and replacing with a core template tag.
* turning on CSRF protection by default by adding CsrfViewMiddleware to
the default value of MIDDLEWARE_CLASSES.
* protecting all contrib apps (whatever is in settings.py)
using a decorator.
For existing users of the CSRF functionality, it should be a seamless update,
but please note that it includes DEPRECATION of features in Django 1.1,
and there are upgrade steps which are detailed in the docs.
Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work
on the patch, and to lots of other people including Simon Willison and
Russell Keith-Magee who refined the ideas.
Details of the rationale for these changes is found here:
http://code.djangoproject.com/wiki/CsrfProtection
As of this commit, the CSRF code is mainly in 'contrib'. The code will be
moved to core in a separate commit, to make the changeset as readable as
possible.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 00:23:07 +01:00
|
|
|
* 1.4
|
|
|
|
* ``CsrfResponseMiddleware``. This has been deprecated since the 1.2
|
2011-05-13 06:33:42 +02:00
|
|
|
release, in favor of the template tag method for inserting the CSRF
|
Fixed #9977 - CsrfMiddleware gets template tag added, session dependency removed, and turned on by default.
This is a large change to CSRF protection for Django. It includes:
* removing the dependency on the session framework.
* deprecating CsrfResponseMiddleware, and replacing with a core template tag.
* turning on CSRF protection by default by adding CsrfViewMiddleware to
the default value of MIDDLEWARE_CLASSES.
* protecting all contrib apps (whatever is in settings.py)
using a decorator.
For existing users of the CSRF functionality, it should be a seamless update,
but please note that it includes DEPRECATION of features in Django 1.1,
and there are upgrade steps which are detailed in the docs.
Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work
on the patch, and to lots of other people including Simon Willison and
Russell Keith-Magee who refined the ideas.
Details of the rationale for these changes is found here:
http://code.djangoproject.com/wiki/CsrfProtection
As of this commit, the CSRF code is mainly in 'contrib'. The code will be
moved to core in a separate commit, to make the changeset as readable as
possible.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 00:23:07 +01:00
|
|
|
token. ``CsrfMiddleware``, which combines ``CsrfResponseMiddleware``
|
|
|
|
and ``CsrfViewMiddleware``, is also deprecated.
|
|
|
|
|
2009-10-27 01:36:34 +01:00
|
|
|
* The old imports for CSRF functionality (``django.contrib.csrf.*``),
|
|
|
|
which moved to core in 1.2, will be removed.
|
|
|
|
|
2009-11-03 13:53:26 +01:00
|
|
|
* ``SMTPConnection``. The 1.2 release deprecated the ``SMTPConnection``
|
|
|
|
class in favor of a generic E-mail backend API.
|
|
|
|
|
2009-11-03 15:02:49 +01:00
|
|
|
* The many to many SQL generation functions on the database backends
|
2009-12-22 16:18:51 +01:00
|
|
|
will be removed.
|
|
|
|
|
|
|
|
* The ability to use the ``DATABASE_*`` family of top-level settings to
|
|
|
|
define database connections will be removed.
|
|
|
|
|
|
|
|
* The ability to use shorthand notation to specify a database backend
|
|
|
|
(i.e., ``sqlite3`` instead of ``django.db.backends.sqlite3``) will be
|
|
|
|
removed.
|
|
|
|
|
|
|
|
* The ``get_db_prep_save``, ``get_db_prep_value`` and
|
2011-03-03 14:28:20 +01:00
|
|
|
``get_db_prep_lookup`` methods on Field were modified in 1.2
|
|
|
|
to support multiple databases. In 1.4, the support functions
|
|
|
|
that allow methods with the old prototype to continue
|
|
|
|
working will be removed.
|
2009-11-03 15:02:49 +01:00
|
|
|
|
2009-12-09 17:57:23 +01:00
|
|
|
* The ``Message`` model (in ``django.contrib.auth``), its related
|
|
|
|
manager in the ``User`` model (``user.message_set``), and the
|
|
|
|
associated methods (``user.message_set.create()`` and
|
|
|
|
``user.get_and_delete_messages()``), which have
|
2009-12-14 13:08:23 +01:00
|
|
|
been deprecated since the 1.2 release, will be removed. The
|
2010-08-19 21:27:44 +02:00
|
|
|
:doc:`messages framework </ref/contrib/messages>` should be used
|
2011-04-08 00:01:23 +02:00
|
|
|
instead. The related ``messages`` variable returned by the
|
|
|
|
auth context processor will also be removed. Note that this
|
|
|
|
means that the admin application depends on the messages
|
|
|
|
context processor.
|
2009-12-09 17:57:23 +01:00
|
|
|
|
2009-12-10 02:05:35 +01:00
|
|
|
* Authentication backends need to support the ``obj`` parameter for
|
|
|
|
permission checking. The ``supports_object_permissions`` variable
|
|
|
|
is not checked any longer and can be removed.
|
|
|
|
|
2010-01-28 02:47:23 +01:00
|
|
|
* Authentication backends need to support the ``AnonymousUser``
|
|
|
|
being passed to all methods dealing with permissions.
|
|
|
|
The ``supports_anonymous_user`` variable is not checked any
|
|
|
|
longer and can be removed.
|
|
|
|
|
2009-12-14 13:08:23 +01:00
|
|
|
* The ability to specify a callable template loader rather than a
|
|
|
|
``Loader`` class will be removed, as will the ``load_template_source``
|
|
|
|
functions that are included with the built in template loaders for
|
|
|
|
backwards compatibility. These have been deprecated since the 1.2
|
|
|
|
release.
|
|
|
|
|
2009-12-22 18:58:49 +01:00
|
|
|
* ``django.utils.translation.get_date_formats()`` and
|
|
|
|
``django.utils.translation.get_partial_date_formats()``. These
|
|
|
|
functions are replaced by the new locale aware formatting; use
|
|
|
|
``django.utils.formats.get_format()`` to get the appropriate
|
|
|
|
formats.
|
|
|
|
|
|
|
|
* In ``django.forms.fields``: ``DEFAULT_DATE_INPUT_FORMATS``,
|
|
|
|
``DEFAULT_TIME_INPUT_FORMATS`` and
|
|
|
|
``DEFAULT_DATETIME_INPUT_FORMATS``. Use
|
|
|
|
``django.utils.formats.get_format()`` to get the appropriate
|
|
|
|
formats.
|
|
|
|
|
2010-01-18 16:11:01 +01:00
|
|
|
* The ability to use a function-based test runners will be removed,
|
|
|
|
along with the ``django.test.simple.run_tests()`` test runner.
|
|
|
|
|
2010-01-28 14:46:18 +01:00
|
|
|
* The ``views.feed()`` view and ``feeds.Feed`` class in
|
|
|
|
``django.contrib.syndication`` have been deprecated since the 1.2
|
|
|
|
release. The class-based view ``views.Feed`` should be used instead.
|
|
|
|
|
2010-02-22 00:40:47 +01:00
|
|
|
* ``django.core.context_processors.auth``. This release will
|
|
|
|
remove the old method in favor of the new method in
|
|
|
|
``django.contrib.auth.context_processors.auth``. This has been
|
|
|
|
deprecated since the 1.2 release.
|
|
|
|
|
2010-02-23 13:24:41 +01:00
|
|
|
* The ``postgresql`` database backend has been deprecated in favor of
|
|
|
|
the ``postgresql_psycopg2`` backend.
|
|
|
|
|
2010-04-29 16:36:09 +02:00
|
|
|
* The ``no`` language code has been deprecated in favor of the ``nb``
|
|
|
|
language code.
|
|
|
|
|
2010-12-21 20:18:12 +01:00
|
|
|
* Authentication backends need to define the boolean attribute
|
|
|
|
``supports_inactive_user``.
|
|
|
|
|
2011-03-03 14:28:20 +01:00
|
|
|
* ``django.db.models.fields.XMLField`` will be removed. This was
|
|
|
|
deprecated as part of the 1.3 release. An accelerated deprecation
|
|
|
|
schedule has been used because the field hasn't performed any role
|
|
|
|
beyond that of a simple ``TextField`` since the removal of oldforms.
|
|
|
|
All uses of ``XMLField`` can be replaced with ``TextField``.
|
|
|
|
|
2010-08-28 04:40:57 +02:00
|
|
|
* 1.5
|
|
|
|
* The ``mod_python`` request handler has been deprecated since the 1.3
|
|
|
|
release. The ``mod_wsgi`` handler should be used instead.
|
|
|
|
|
2010-10-10 04:16:33 +02:00
|
|
|
* The ``template`` attribute on :class:`~django.test.client.Response`
|
|
|
|
objects returned by the :ref:`test client <test-client>` has been
|
|
|
|
deprecated since the 1.3 release. The
|
|
|
|
:attr:`~django.test.client.Response.templates` attribute should be
|
|
|
|
used instead.
|
|
|
|
|
2010-10-11 15:18:00 +02:00
|
|
|
* The features of the :class:`django.test.simple.DjangoTestRunner`
|
|
|
|
(including fail-fast and Ctrl-C test termination) can now be provided
|
|
|
|
by the unittest-native :class:`TextTestRunner`. The
|
|
|
|
:class:`~django.test.simple.DjangoTestRunner` will be removed in
|
|
|
|
favor of using the unittest-native class.
|
|
|
|
|
Fixed #14445 - Use HMAC and constant-time comparison functions where needed.
All adhoc MAC applications have been updated to use HMAC, using SHA1 to
generate unique keys for each application based on the SECRET_KEY, which is
common practice for this situation. In all cases, backwards compatibility
with existing hashes has been maintained, aiming to phase this out as per
the normal deprecation process. In this way, under most normal
circumstances the old hashes will have expired (e.g. by session expiration
etc.) before they become invalid.
In the case of the messages framework and the cookie backend, which was
already using HMAC, there is the possibility of a backwards incompatibility
if the SECRET_KEY is shorter than the default 50 bytes, but the low
likelihood and low impact meant compatibility code was not worth it.
All known instances where tokens/hashes were compared using simple string
equality, which could potentially open timing based attacks, have also been
fixed using a constant-time comparison function.
There are no known practical attacks against the existing implementations,
so these security improvements will not be backported.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14218 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-14 22:54:30 +02:00
|
|
|
* The undocumented function
|
|
|
|
:func:`django.contrib.formtools.utils.security_hash`
|
2011-05-13 06:33:42 +02:00
|
|
|
is deprecated, in favor of :func:`django.contrib.formtools.utils.form_hmac`
|
Fixed #14445 - Use HMAC and constant-time comparison functions where needed.
All adhoc MAC applications have been updated to use HMAC, using SHA1 to
generate unique keys for each application based on the SECRET_KEY, which is
common practice for this situation. In all cases, backwards compatibility
with existing hashes has been maintained, aiming to phase this out as per
the normal deprecation process. In this way, under most normal
circumstances the old hashes will have expired (e.g. by session expiration
etc.) before they become invalid.
In the case of the messages framework and the cookie backend, which was
already using HMAC, there is the possibility of a backwards incompatibility
if the SECRET_KEY is shorter than the default 50 bytes, but the low
likelihood and low impact meant compatibility code was not worth it.
All known instances where tokens/hashes were compared using simple string
equality, which could potentially open timing based attacks, have also been
fixed using a constant-time comparison function.
There are no known practical attacks against the existing implementations,
so these security improvements will not be backported.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14218 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-14 22:54:30 +02:00
|
|
|
|
2010-10-18 15:34:47 +02:00
|
|
|
* The function-based generic views have been deprecated in
|
|
|
|
favor of their class-based cousins. The following modules
|
|
|
|
will be removed:
|
|
|
|
|
|
|
|
* :mod:`django.views.generic.create_update`
|
|
|
|
* :mod:`django.views.generic.date_based`
|
|
|
|
* :mod:`django.views.generic.list_detail`
|
|
|
|
* :mod:`django.views.generic.simple`
|
|
|
|
|
2010-11-11 22:44:05 +01:00
|
|
|
* The :class:`~django.core.servers.basehttp.AdminMediaHandler` has
|
|
|
|
been deprecated in favor of the
|
2010-11-13 19:41:24 +01:00
|
|
|
:class:`~django.contrib.staticfiles.handlers.StaticFilesHandler`.
|
2010-11-11 22:44:05 +01:00
|
|
|
|
2010-11-20 07:22:28 +01:00
|
|
|
* The :ttag:`url` and :ttag:`ssi` template tags will be
|
|
|
|
modified so that the first argument to each tag is a
|
|
|
|
template variable, not an implied string. The new-style
|
|
|
|
behavior is provided in the ``future`` template tag library.
|
|
|
|
|
2010-12-12 23:58:25 +01:00
|
|
|
* The :djadmin:`reset` and :djadmin:`sqlreset` management commands
|
|
|
|
are deprecated.
|
|
|
|
|
2010-12-21 20:18:12 +01:00
|
|
|
* Authentication backends need to support a inactive user
|
|
|
|
being passed to all methods dealing with permissions.
|
|
|
|
The ``supports_inactive_user`` variable is not checked any
|
|
|
|
longer and can be removed.
|
|
|
|
|
2011-02-23 14:36:58 +01:00
|
|
|
* :meth:`~django.contrib.gis.geos.GEOSGeometry.transform` will raise
|
|
|
|
a :class:`~django.contrib.gis.geos.GEOSException` when called
|
2010-12-22 18:43:30 +01:00
|
|
|
on a geometry with no SRID value.
|
|
|
|
|
2011-05-13 06:33:42 +02:00
|
|
|
* :class:`~django.http.CompatCookie` will be removed in favor of
|
2011-01-24 21:35:46 +01:00
|
|
|
:class:`~django.http.SimpleCookie`.
|
|
|
|
|
2011-02-23 14:36:58 +01:00
|
|
|
* :class:`django.core.context_processors.PermWrapper` and
|
|
|
|
:class:`django.core.context_processors.PermLookupDict`
|
|
|
|
will be moved to :class:`django.contrib.auth.context_processors.PermWrapper`
|
|
|
|
and :class:`django.contrib.auth.context_processors.PermLookupDict`,
|
|
|
|
respectively.
|
|
|
|
|
2011-05-29 19:41:04 +02:00
|
|
|
* The :setting:`MEDIA_URL` or :setting:`STATIC_URL` settings are
|
|
|
|
required to end with a trailing slash to ensure there is a consistent
|
|
|
|
way to combine paths in templates.
|
2011-03-22 07:57:12 +01:00
|
|
|
|
2011-03-30 10:34:05 +02:00
|
|
|
* 1.6
|
|
|
|
* The compatibility modules ``django.utils.copycompat`` and
|
|
|
|
``django.utils.hashcompat`` as well as the functions
|
|
|
|
``django.utils.itercompat.all`` and ``django.utils.itercompat.any``
|
|
|
|
have been deprecated since the 1.4 release. The native versions
|
|
|
|
should be used instead.
|
|
|
|
|
2011-03-30 19:35:41 +02:00
|
|
|
* The :func:`~django.views.decorators.csrf.csrf_response_exempt` and
|
|
|
|
:func:`~django.views.decorators.csrf.csrf_view_exempt` decorators will
|
|
|
|
be removed. Since 1.4 ``csrf_response_exempt`` has been a no-op (it
|
|
|
|
returns the same function), and ``csrf_view_exempt`` has been a
|
|
|
|
synonym for ``django.views.decorators.csrf.csrf_exempt``, which should
|
|
|
|
be used to replace it.
|
|
|
|
|
2011-04-02 10:37:15 +02:00
|
|
|
* The :class:`~django.core.cache.backends.memcached.CacheClass` backend
|
|
|
|
was split into two in Django 1.3 in order to introduce support for
|
|
|
|
PyLibMC. The historical :class:`~django.core.cache.backends.memcached.CacheClass`
|
|
|
|
is now an alias for :class:`~django.core.cache.backends.memcached.MemcachedCache`.
|
|
|
|
In Django 1.6, the historical alias will be removed.
|
|
|
|
|
2011-05-03 13:52:20 +02:00
|
|
|
* The UK-prefixed objects of ``django.contrib.localflavor.uk`` will only
|
|
|
|
be accessible through their new GB-prefixed names (GB is the correct
|
2011-05-05 22:49:35 +02:00
|
|
|
ISO 3166 code for United Kingdom). They have been deprecated since the
|
2011-05-03 13:52:20 +02:00
|
|
|
1.4 release.
|
|
|
|
|
2011-05-05 22:49:26 +02:00
|
|
|
* The :setting:`IGNORABLE_404_STARTS` and :setting:`IGNORABLE_404_ENDS`
|
|
|
|
settings have been superseded by :setting:`IGNORABLE_404_URLS` in
|
|
|
|
the 1.4 release. They will be removed.
|
|
|
|
|
2011-06-01 15:47:00 +02:00
|
|
|
* The :doc:`form wizard </ref/contrib/formtools/form-wizard>` has been
|
|
|
|
refactored to use class based views with pluggable backends in 1.4.
|
|
|
|
The previous implementation will be deprecated.
|
|
|
|
|
2011-06-08 13:12:01 +02:00
|
|
|
* Legacy ways of calling
|
|
|
|
:func:`~django.views.decorators.cache.cache_page` will be removed.
|
|
|
|
|
2011-06-22 08:01:44 +02:00
|
|
|
* The backward-compatibility shim to automatically add a debug-false
|
|
|
|
filter to the ``'mail_admins'`` logging handler will be removed. The
|
|
|
|
:setting:`LOGGING` setting should include this filter explicitly if
|
|
|
|
it is desired.
|
|
|
|
|
2009-07-21 03:51:40 +02:00
|
|
|
* 2.0
|
|
|
|
* ``django.views.defaults.shortcut()``. This function has been moved
|
|
|
|
to ``django.contrib.contenttypes.views.shortcut()`` as part of the
|
|
|
|
goal of removing all ``django.contrib`` references from the core
|
|
|
|
Django codebase. The old shortcut will be removed in the 2.0
|
|
|
|
release.
|