Domovská stránka Prehľadávať Pomoc
Prihlásiť sa
CityApper
/
wagtail
zrkadlo https://github.com/wagtail/wagtail
2
0
Fork 0
Súbory Issues 0 Wiki
Strom: 9a5be8f180
Branche Tagy
wagtail
/
docs
/
releases
/
2.9.rst

2.9.rst 7.2 KB
História Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134 
  1. =========================
    2. 

  2. Wagtail 2.9 release notes
    3. 

  3. =========================
    4. 

  4. 

  5. *May 4, 2020*
    6. 

  6. 

  7. .. contents::
    8. 

  8.     :local:
    9. 

  9.     :depth: 1
    10. 

  10. 

  11. 

  12. What's new
    13. 

  13. ==========
    14. 

  14. 

  15. Report data exports
    16. 

  16. ~~~~~~~~~~~~~~~~~~~
    17. 

  17. 

  18. Data from reports, form submissions and ModelAdmin can now be exported to both XLSX and CSV format. For ModelAdmin, this is enabled by specifying a ``list_export`` attribute on the ModelAdmin class. This feature was developed by Jacob Topp-Mugglestone and sponsored by `The Motley Fool <https://www.fool.com/>`_.
    19. 

  19. 

  20. 

  21. CVE-2020-11037: Potential timing attack on password-protected private pages
    22. 

  22. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    23. 

  23. 

  24. This release addresses a potential timing attack on pages or documents that have been protected with a shared password through Wagtail's "Privacy" controls. This password check is performed through a character-by-character string comparison, and so an attacker who is able to measure the time taken by this check to a high degree of accuracy could potentially use timing differences to gain knowledge of the password. (This is `understood to be feasible on a local network, but not on the public internet <https://groups.google.com/d/msg/django-developers/iAaq0pvHXuA/fpUuwjK3i2wJ>`_.)
    25. 

  25. 

  26. Many thanks to Thibaud Colas for reporting this issue.
    27. 

  27. 

  28. 

  29. Other features
    30. 

  30. ~~~~~~~~~~~~~~
    31. 

  31. 

  32. * Added support for creating custom reports (Jacob Topp-Mugglestone)
    33. 

  33. * Skip page validation when unpublishing a page (Samir Shah)
    34. 

  34. * Added :ref:`MultipleChoiceBlock <streamfield_multiplechoiceblock>` block type for StreamField (James O'Toole)
    35. 

  35. * ChoiceBlock now accepts a ``widget`` keyword argument (James O'Toole)
    36. 

  36. * Reduced contrast of rich text toolbar (Jack Paine)
    37. 

  37. * Support the rel attribute on custom ModelAdmin buttons (Andy Chosak)
    38. 

  38. * Server-side page slug generation now respects ``WAGTAIL_ALLOW_UNICODE_SLUGS`` (Arkadiusz Michał Ryś)
    39. 

  39. * Wagtail admin no longer depends on SiteMiddleware, avoiding incompatibility with Django sites framework and redundant database queries (aritas1, timmysmalls, Matt Westcott)
    40. 

  40. * Tag field autocompletion now handles custom tag models (Matt Westcott)
    41. 

  41. * ``wagtail_serve`` URL route can now be omitted for headless sites (Storm Heg)
    42. 

  42. * Allow free tagging to be disabled on custom tag models (Matt Westcott)
    43. 

  43. * Allow disabling page preview by setting ``preview_modes`` to an empty list (Casper Timmers)
    44. 

  44. * Add Vidyard to oEmbed provider list (Steve Lyall)
    45. 

  45. * Optimise compiling media definitions for complex StreamBlocks (pimarc)
    46. 

  46. * FieldPanel now accepts a 'heading' argument (Jacob Topp-Mugglestone)
    47. 

  47. * Replaced deprecated ``ugettext`` / ``ungettext`` calls with ``gettext`` / ``ngettext`` (Mohamed Feddad)
    48. 

  48. * ListBlocks now call child block ``bulk_to_python`` if defined (Andy Chosak)
    49. 

  49. * Site settings are now identifiable/cacheable by request as well as site (Andy Babic)
    50. 

  50. * Added ``select_related`` attribute to site settings to enable more efficient fetching of foreign key values (Andy Babic)
    51. 

  51. * Add caching of image renditions (Tom Dyson, Tim Kamanin)
    52. 

  52. * Add documentation for reporting security issues and internationalisation (Matt Westcott)
    53. 

  53. * Fields on a custom image model can now be defined as required ``blank=False`` (Matt Westcott)
    54. 

  54. 

  55. 

  56. Bug fixes
    57. 

  57. ~~~~~~~~~
    58. 

  58. 

  59. * Added ARIA alert role to live search forms in the admin (Casper Timmers)
    60. 

  60. * Reordered login form elements to match expected tab order (Kjartan Sverrisson)
    61. 

  61. * Re-added 'Close Explorer' button on mobile viewports (Sævar Öfjörð Magnússon)
    62. 

  62. * Added a more descriptive label to Password reset link for screen reader users (Casper Timmers, Martin Coote)
    63. 

  63. * Improved Wagtail logo contrast by adding a background (Brian Edelman, Simon Evans, Ben Enright)
    64. 

  64. * Prevent duplicate notification messages on page locking (Jacob Topp-Mugglestone)
    65. 

  65. * Rendering of non field errors for InlinePanel items (Storm Heg)
    66. 

  66. * ``{% image ... as var %}`` now clears the context variable when passed None as an image (Maylon Pedroso)
    67. 

  67. * ``refresh_index`` method on Elasticsearch no longer fails (Lars van de Kerkhof)
    68. 

  68. * Document tags no longer fail to update when replacing the document file at the same time (Matt Westcott)
    69. 

  69. * Prevent error from very tall / wide images being resized to 0 pixels (Fidel Ramos)
    70. 

  70. * Remove excess margin when editing snippets (Quadric)
    71. 

  71. * Added ``scope`` attribute to table headers in TableBlock output (Quadric)
    72. 

  72. * Prevent KeyError when accessing a StreamField on a deferred queryset (Paulo Alvarado)
    73. 

  73. * Hide empty 'view live' links (Karran Besen)
    74. 

  74. * Mark up a few strings for translation (Luiz Boaretto)
    75. 

  75. * Invalid focal_point attribute on image edit view (Michał (Quadric) Sieradzki)
    76. 

  76. * No longer expose the ``.delete()`` method on the default Page.objects manager (Nick Smith)
    77. 

  77. * ``exclude_fields_in_copy`` on Page models will now work for for modelcluster parental / many to many relations (LB (Ben Johnston))
    78. 

  78. * Response header (content disposition) now correctly handles filenames with non-ascii characters when using a storage backend (Rich Brennan)
    79. 

  79. * Improved accessibility fixes for ``main``, ``header`` and ``footer`` elements in the admin page layout (Mitchel Cabuloy)
    80. 

  80. * Prevent version number from obscuring long settings menus (Naomi Morduch Toubman)
    81. 

  81. * Admin views using TemplateResponse now respect the user's language setting (Jacob Topp-Mugglestone)
    82. 

  82. * Fixed incorrect language code for Japanese in language setting dropdown (Tomonori Tanabe)
    83. 

  83. 

  84. 

  85. Upgrade considerations
    86. 

  86. ======================
    87. 

  87. 

  88. Removed support for Django 2.1
    89. 

  89. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    90. 

  90. 

  91. Django 2.1 is no longer supported as of this release; please upgrade to Django 2.2 or above before upgrading Wagtail.
    92. 

  92. 

  93. 

  94. ``SiteMiddleware`` and ``request.site`` deprecated
    95. 

  95. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    96. 

  96. 

  97. Wagtail's ``wagtail.core.middleware.SiteMiddleware``, which makes the current site object available as the property ``request.site``, is now deprecated as it clashes with Django's sites framework and makes unnecessary database queries on non-Wagtail views. References to ``request.site`` in your code should be removed; the recommended way of retrieving the current site is ``Site.find_for_request(request)`` in Python code, and the ``{% wagtail_site %}`` tag within Django templates.
    98. 

  98. 

  99. For example:
    100. 

  100. 

  101. .. code-block:: python
    102. 

  102. 

  103.     # old version
    104. 

  104. 

  105.     def get_menu_items(request):
    106. 

  106.         return request.site.root_page.get_children().live()
    107. 

  107. 

  108.     # new version
    109. 

  109. 

  110.     from wagtail.core.models import Site
    111. 

  111. 

  112.     def get_menu_items(request):
    113. 

  113.         return Site.find_for_request(request).root_page.get_children().live()
    114. 

  114. 

  115. .. code-block:: html+django
    116. 

  116. 

  117.     {# old version #}
    118. 

  118. 

  119.     <h1>Welcome to the {{ request.site.site_name }} website!</h1>
    120. 

  120. 

  121. 

  122.     {# new version #}
    123. 

  123.     {% load wagtailcore_tags %}
    124. 

  124.     {% wagtail_site as current_site %}
    125. 

  125. 

  126.     <h1>Welcome to the {{ current_site.site_name }} website!</h1>
    127. 

  127. 

  128. 

  129. Once these are removed, ``'wagtail.core.middleware.SiteMiddleware'`` can be removed from your project's ``MIDDLEWARE`` setting.
    130. 

  130. 

  131. Page / Collection managers no longer expose a ``delete`` method
    132. 

  132. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    133. 

  133. 

  134. For :ref:`consistency with standard Django models <django:ref/models/instances:deleting objects>`, the ``delete()`` method is no longer available on the default Page and Collection managers. Code such as ``Page.objects.delete()`` should be changed to ``Page.objects.all().delete()``.
    135.