* Fix#9250: Prevent token overwrite and improve security
- Fix key collision issue that could overwrite existing tokens
- Use force_insert=True only for new token instances
- Replace os.urandom with secrets.token_hex for better security
- Add comprehensive test suite to verify fix and backward compatibility
- Ensure existing tokens can still be updated without breaking changes
* Fix code style: remove trailing whitespace and unused imports
* Fix#9250: Prevent token overwrite with minimal changes
- Add force_insert=True to Token.save() for new objects to prevent overwriting existing tokens
- Revert generate_key method to original implementation (os.urandom + binascii)
- Update tests to work with original setUp() approach
- Remove verbose comments and unrelated changes per reviewer feedback
* Fix flake8 violations: remove extra blank lines and trailing whitespace
* Update tests/test_authtoken.py
Co-authored-by: Bruno Alla <browniebroke@users.noreply.github.com>
* Update tests/test_authtoken.py
Co-authored-by: Bruno Alla <browniebroke@users.noreply.github.com>
* Update tests/test_authtoken.py
Co-authored-by: Bruno Alla <browniebroke@users.noreply.github.com>
* Fix token key regeneration behavior and add test
* Update tests/test_authtoken.py
Co-authored-by: Bruno Alla <browniebroke@users.noreply.github.com>
---------
Co-authored-by: Bruno Alla <browniebroke@users.noreply.github.com>
* Update serializers.md
add a new third-party package in serializers section
* Update third-party-packages.md
add drf-shapeless-serializers to the serializers section.
* Update docs/community/third-party-packages.md
Co-authored-by: Bruno Alla <browniebroke@users.noreply.github.com>
---------
Co-authored-by: Bruno Alla <browniebroke@users.noreply.github.com>
* Refactor token generation to use secrets module
* test: Add focused tests for Token.generate_key() method
- Add test for valid token format (40 hex characters)
- Add collision resistance test with 500 sample size
- Add basic randomness quality validation
- Ensure generated keys are unique and properly formatted
* Revert "Removed reference to GitHub Issues and Discussions (#9660)"
This reverts commit ffadde930e.
* Remove issue template
* Update discussions description
* Remove recommendations to open issues from the docs
* Change a few non-breakable spaces to regular ones for better syntax highlighting in the editors
* Fix test with Django 5 when pytz is available
* fix formatting
* remove original condition
Co-authored-by: Ülgen Sarıkavak <ulgens@users.noreply.github.com>
* remove trailing whitespace
* further improvements
* let's not skip the pytz test - it should always be executed when testing against Django 4
* add comment to test requirements
Co-authored-by: Bruno Alla <browniebroke@users.noreply.github.com>
* simplify the pytz import as it should always be available
* make isort happy
---------
Co-authored-by: Ülgen Sarıkavak <ulgens@users.noreply.github.com>
Co-authored-by: Bruno Alla <browniebroke@users.noreply.github.com>
- Fixed get_default_valid_fields() and get_valid_fields() methods in filters.py
- Changed context={} default parameter to context=None to prevent mutable default anti-pattern
- Added proper None checking with context = {} assignment inside methods
Why this fix is important:
- Mutable default arguments (context={}) create shared state across function calls
- Same dict object gets reused, potentially causing unexpected side effects
- This is a well-known Python anti-pattern that can lead to bugs
What was changed:
- Line 249: get_default_valid_fields(self, queryset, view, context=None)
- Line 285: get_valid_fields(self, queryset, view, context=None)
- Added 'if context is None: context = {}' in both methods
Testing results:
- All existing filter tests pass (pytest tests/test_filters.py)
- Custom verification script confirms fix works correctly
- Maintains backward compatibility
- No breaking changes to API
Addresses GitHub issue #9741
* Fix : Updated documentation in tutorial 5 leading to error
* Updated docs/tutorial/5-relationships-and-hyperlinked-apis.md
Co-authored-by: Bruno Alla <browniebroke@users.noreply.github.com>
* Missing newline
---------
Co-authored-by: Bruno Alla <browniebroke@users.noreply.github.com>
* Drop HTML line breaks on long headers
* Remove related test
* Fix flake8
---------
Co-authored-by: Asif Saif Uddin <auvipy@gmail.com>
Co-authored-by: Bruno Alla <alla.brunoo@gmail.com>
* Add failing test for `UniqueConstraint` validation with `source` attribute
* Fix `UniqueTogetherValidator` to handle fields with source attribute
* split inner sources logic out to tuple comprehension
* Start drafting release notes from 3.16 (Generated from GitHub)
* Reformat changes and split into sections
* Format GitHub PRs links for the docs
* Link new contributors in Markdown format
* Write up 3.16 announcement
* Bump version
* Add entry for removed Python 3.8 support
* Update release date to 28/03
* Minor rewording
* Add 3.16 announcement to the navbar and link to docs
* Fix typo of 'related' in tests
* Fix typo of permission_classes in coreapi test
* Fix some minor typos in docs
* Fix typos in tests
* Fix flake8 issue
* Fixed regression that tests using format still work
Error only occurred on tests which return no content and use
a renderer without charset (e.g. JSONRenderer)
* Fixed linting
* Used early return as before
* Move ret str check back to where it was
