This is a security fix release. We strongly recommend people upgrade.
Security fixes:
- Fixed SQL injection issue in MySQL
- Fixed SQL injection issues in MySQL when using
contains,starts_withorends_withfilters (and their case-insensitive counterparts) - Fixed malformed SQL for PostgreSQL and SQLite when using
contains,starts_withorends_withfilters (and their case-insensitive counterparts)
Other changes:
-
Added support for partial models:
To create a partial model, one can do a
.only(<fieldnames-as-strings>)as part of the QuerySet.
This will create model instances that only have those values fetched.Persisting changes on the model is allowed only when:
- All the fields you want to update is specified in
<model>.save(update_fields=[...]) - You included the Model primary key in the `.only(...)``
To protect against common mistakes we ensure that errors get raised:
- If you access a field that is not specified, you will get an
AttributeError. - If you do a
<model>.save()aIncompleteInstanceErrorwill be raised as the model is, as requested, incomplete. - If you do a
<model>.save(update_fields=[...])and you didn't include the primary key in the.only(...),
thenIncompleteInstanceErrorwill be raised indicating that updates can't be done without the primary key being known. - If you do a
<model>.save(update_fields=[...])and one of the fields inupdate_fieldswas not in the.only(...),
thenIncompleteInstanceErroras that field is not available to be updated.
- All the fields you want to update is specified in
- Fixed bad SQL generation when doing a
.values()query over a Foreign Key - Added
<model>.update_from_dict({...})that will mass update values safely from a dictionary - Fixed processing URL encoded password in connection string