==========================Django 1.2.4 release notes==========================Welcome to Django 1.2.4!This is the fourth "bugfix" release in the Django 1.2 series,improving the stability and performance of the Django 1.2 codebase.With one exception, Django 1.2.4 maintains backwards compatibilitywith Django 1.2.3. It also contains a number of fixes and otherimprovements. Django 1.2.4 is a recommended upgrade for anydevelopment or deployment currently using or targeting Django 1.2.For full details on the new features, backwards incompatibilities, anddeprecated features in the 1.2 branch, see the :doc:`/releases/1.2`.Backwards incompatible changes==============================Restricted filters in admin interface-------------------------------------The Django administrative interface, ``django.contrib.admin``, supportsfiltering of displayed lists of objects by fields on the correspondingmodels, including across database-level relationships. This isimplemented by passing lookup arguments in the querystring portion ofthe URL, and options on the ModelAdmin class allow developers tospecify particular fields or relationships which will generateautomatic links for filtering.One historically-undocumented and -unofficially-supported feature hasbeen the ability for a user with sufficient knowledge of a model'sstructure and the format of these lookup arguments to invent usefulnew filters on the fly by manipulating the querystring.However, it has been demonstrated that this can be abused to gainaccess to information outside of an admin user's permissions; forexample, an attacker with access to the admin and sufficient knowledgeof model structure and relations could construct query strings which --with repeated use of regular-expression lookups supported by theDjango database API -- expose sensitive information such as users'password hashes.To remedy this, ``django.contrib.admin`` will now validate thatquerystring lookup arguments either specify only fields on the modelbeing viewed, or cross relations which have been explicitlyallowed by the application developer using the preexistingmechanism mentioned above. This is backwards-incompatible for anyusers relying on the prior ability to insert arbitrary lookups.One new feature===============Ordinarily, a point release would not include new features, but in thecase of Django 1.2.4, we have made an exception to this rule.One of the bugs fixed in Django 1.2.4 involves a set ofcircumstances whereby a running a test suite on a multiple databaseconfiguration could cause the original source database (i.e., theactual production database) to be dropped, causing catastrophic lossof data. In order to provide a fix for this problem, it was necessaryto introduce a new setting -- :setting:`TEST_DEPENDENCIES` -- thatallows you to define any creation order dependencies in your databaseconfiguration.Most users -- even users with multiple-database configurations -- neednot be concerned about the data loss bug, or the manual configuration of:setting:`TEST_DEPENDENCIES`. See the :ticket:`original problem report <14415>`documentation on :ref:`controlling the creation order of testdatabases <topics-testing-creation-dependencies>` for details.GeoDjango=========The function-based :setting:`TEST_RUNNER` previously used to executethe GeoDjango test suite, ``django.contrib.gis.tests.run_gis_tests``,was finally deprecated in favor of a class-based test runner,``django.contrib.gis.tests.GeoDjangoTestSuiteRunner``, added in thisrelease.In addition, the GeoDjango test suite is now included when:ref:`running the Django test suite <running-unit-tests>` with ``runtests.py``and using :ref:`spatial database backends <spatial-backends>`.