December 2, 2019
Welcome to Django 3.0!
These release notes cover the new features, as well assome backwards incompatible changes you’llwant to be aware of when upgrading from Django 2.2 or earlier. We’vedropped some features that have reached the end oftheir deprecation cycle, and we’ve begun the deprecation process forsome features.
See the How to upgrade Django to a newer version guide if you’re updating an existingproject.
Python compatibility¶
Django 3.0 supports Python 3.6, 3.7, 3.8, and 3.9 (as of 3.0.11). We highlyrecommend and only officially support the latest release of each series.
The Django 2.2.x series is the last to support Python 3.5.
Third-party library support for older version of Django¶
Following the release of Django 3.0, we suggest that third-party app authorsdrop support for all versions of Django prior to 2.2. At that time, you shouldbe able to run your package’s tests using python -Wd
so that deprecationwarnings appear. After making the deprecation warning fixes, your app should becompatible with Django 3.0.
What’s new in Django 3.0¶
MariaDB support¶
Django now officially supports MariaDB 10.1 andhigher. See MariaDB notes for more details.
ASGI support¶
Django 3.0 begins our journey to making Django fully async-capable by providingsupport for running as an ASGI application.
This is in addition to our existing WSGI support. Django intends to supportboth for the foreseeable future. Async features will only be available toapplications that run under ASGI, however.
At this stage async support only applies to the outer ASGI application.Internally everything remains synchronous. Asynchronous middleware, views, etc.are not yet supported. You can, however, use ASGI middleware around Django’sapplication, allowing you to combine Django with other ASGI frameworks.
There is no need to switch your applications over unless you want to startexperimenting with asynchronous code, but we havedocumentation on deploying with ASGI ifyou want to learn more.
Note that as a side-effect of this change, Django is now aware of asynchronousevent loops and will block you calling code marked as “async unsafe” - such asORM operations - from an asynchronous context. If you were using Django fromasync code before, this may trigger if you were doing it incorrectly. If yousee a SynchronousOnlyOperation
error, then closely examine your code andmove any database operations to be in a synchronous child thread.
Exclusion constraints on PostgreSQL¶
The new ExclusionConstraint classenable adding exclusion constraints on PostgreSQL. Constraints are added tomodels using theMeta.constraints option.
Filter expressions¶
Expressions that output BooleanField may now beused directly in QuerySet
filters, without having to first annotate andthen filter against the annotation.
Enumerations for model field choices¶
Custom enumeration types TextChoices
, IntegerChoices
, and Choices
are now available as a way to define Field.choices. TextChoices
and IntegerChoices
types are provided for text and integer fields. TheChoices
class allows defining a compatible enumeration for other concretedata types. These custom enumeration types support human-readable labels thatcan be translated and accessed via a property on the enumeration or itsmembers. See Enumeration types for moredetails and examples.
Minor features¶
django.contrib.admin¶
- Added support for the
admin_order_field
attribute on properties inModelAdmin.list_display. - The new ModelAdmin.get_inlines() method allows specifying theinlines based on the request or model instance.
- Select2 library is upgraded from version 4.0.3 to 4.0.7.
- jQuery is upgraded from version 3.3.1 to 3.4.1.
django.contrib.auth¶
- The new
reset_url_token
attribute inPasswordResetConfirmView allowsspecifying a token parameter displayed as a component of password resetURLs. - Added BaseBackend class to easecustomization of authentication backends.
- Added get_user_permissions() methodto mirror the existingget_group_permissions() method.
- Added HTML
autocomplete
attribute to widgets of username, email, andpassword fields in django.contrib.auth.forms for better interactionwith browser password managers. - createsuperuser now falls back to environment variables forpassword and required fields, when a corresponding command line argumentisn’t provided in non-interactive mode.
- REQUIRED_FIELDS now supportsManyToManyFields.
- The new UserManager.with_perm() method returns users that have thespecified permission.
- The default iteration count for the PBKDF2 password hasher is increased from150,000 to 180,000.
django.contrib.gis¶
- Allowed MySQL spatial lookup functions to operate on real geometries.Previous support was limited to bounding boxes.
- Added the GeometryDistancefunction, supported on PostGIS.
- Added support for the
furlong
unit inDistance. - The GEOIP_PATH setting now supports
pathlib.Path
. - The GeoIP2 class now accepts
pathlib.Path
path
.
django.contrib.postgres¶
- The new RangeOperators helps toavoid typos in SQL operators that can be used together withRangeField.
- The new RangeBoundary expressionrepresents the range boundaries.
- The new AddIndexConcurrentlyand RemoveIndexConcurrentlyclasses allow creating and dropping indexes
CONCURRENTLY
on PostgreSQL.
django.contrib.sessions¶
- The newget_session_cookie_age()method allows dynamically specifying the session cookie age.
django.contrib.syndication¶
- Added the
language
class attribute to thedjango.contrib.syndication.views.Feed to customize a feed language.The default value is get_language() insteadof LANGUAGE_CODE.
Cache¶
- add_never_cache_headers() andnever_cache() now add the
private
directive toCache-Control
headers.
File Storage¶
- The new Storage.get_alternative_name() method allows customizing thealgorithm for generating filenames if a file with the uploaded name alreadyexists.
Forms¶
- Formsets may control the widget used when ordering forms viacan_order by setting theordering_widget attribute oroverriding get_ordering_widget().
Internationalization¶
- Added the LANGUAGE_COOKIE_HTTPONLY,LANGUAGE_COOKIE_SAMESITE, and LANGUAGE_COOKIE_SECUREsettings to set the
HttpOnly
,SameSite
, andSecure
flags onlanguage cookies. The default values of these settings preserve the previousbehavior. - Added support and translations for the Uzbek language.
Logging¶
- The new
reporter_class
parameter ofAdminEmailHandler allows providing andjango.views.debug.ExceptionReporter
subclass to customize the tracebacktext sent to site ADMINS when DEBUG isFalse
.
Management Commands¶
- The new compilemessages --ignore option allows ignoring specificdirectories when searching for
.po
files to compile. - showmigrations --list now shows the applied datetimes when
--verbosity
is 2 and above. - On PostgreSQL, dbshell now supports client-side TLS certificates.
- inspectdb now introspects OneToOneFieldwhen a foreign key has a unique or primary key constraint.
- The new --skip-checks option skips running system checks prior torunning the command.
- The startapp --template and startproject --templateoptions now support templates stored in XZ archives (
.tar.xz
,.txz
)and LZMA archives (.tar.lzma
,.tlz
).
Models¶
Added hash database functions MD5,SHA1,SHA224,SHA256,SHA384, andSHA512.
Added the Sign database function.
The new
is_dst
parameter of theTrunc database functions determines thetreatment of nonexistent and ambiguous datetimes.connection.queries
now showsCOPY … TO
statements on PostgreSQL.FilePathField now accepts a callable for
path
.Allowed symmetrical intermediate table for self-referentialManyToManyField.
The
name
attributes of CheckConstraint,UniqueConstraint, andIndex now support app label and classinterpolation using the'%(app_label)s'
and'%(class)s'
placeholders.The new Field.descriptor_class attribute allows model fields tocustomize the get and set behavior by overriding theirdescriptors.
Avg and Sum now supportthe
distinct
argument.Added SmallAutoField which acts much like anAutoField except that it only allows values undera certain (database-dependent) limit. Values from
1
to32767
are safein all databases supported by Django.AutoField,BigAutoField, andSmallAutoField now inherit from
IntegerField
,BigIntegerField
andSmallIntegerField
respectively.System checks and validators are now also properly inherited.FileField.upload_to now supports
pathlib.Path
.CheckConstraint is now supported on MySQL 8.0.16+.
The new
allows_group_by_selected_pks_on_model()
method ofdjango.db.backends.base.BaseDatabaseFeatures
allows optimization ofGROUP BY
clauses to require only the selected models’ primary keys. Bydefault, it’s supported only for managed models on PostgreSQL.To enable the
GROUP BY
primary key-only optimization for unmanagedmodels, you have to subclass the PostgreSQL database engine, overriding thefeatures classallows_group_by_selected_pks_on_model()
method as yourequire. See Subclassing the built-in database backends for an example.
Requests and Responses¶
- Allowed HttpResponse to be initialized with
memoryview
content. - For use in, for example, Django templates, HttpRequest.headers nowallows lookups using underscores (e.g.
user_agent
) in place of hyphens.
Security¶
- X_FRAME_OPTIONS now defaults to
'DENY'
. In older versions, theX_FRAME_OPTIONS setting defaults to'SAMEORIGIN'
. If your siteuses frames of itself, you will need to explicitly setX_FRAME_OPTIONS ='SAMEORIGIN'
for them to continue working. - SECURE_CONTENT_TYPE_NOSNIFF now defaults to
True
. With thisenabled, SecurityMiddleware sets theX-Content-Type-Options: nosniff header on all responses that do not alreadyhave it. - SecurityMiddleware can now send theReferrer-Policy header.
Tests¶
- The new test Client argument
raise_request_exception
allows controlling whether or not exceptionsraised during the request should also be raised in the test. The valuedefaults toTrue
for backwards compatibility. If it isFalse
and anexception occurs, the test client will return a 500 response with theattribute exc_info, a tuple providinginformation of the exception that occurred. - Tests and test cases to run can be selected by test name pattern using thenew test -k option.
- HTML comparison, as used byassertHTMLEqual(), now treats text, characterreferences, and entity references that refer to the same character asequivalent.
- Django test runner now supports headless mode for selenium tests on supportedbrowsers. Add the
--headless
option to enable this mode. - Django test runner now supports
--start-at
and--start-after
optionsto run tests starting from a specific top-level module. - Django test runner now supports a
--pdb
option to spawn a debugger ateach error or failure.
Backwards incompatible changes in 3.0¶
Model.save()
when providing a default for the primary key¶
Model.save() no longer attempts to find a row when saving a newModel
instance and a default value for the primary key is provided, andalways performs a single INSERT
query. In older Django versions,Model.save()
performed either an INSERT
or an UPDATE
based onwhether or not the row exists.
This makes calling Model.save()
while providing a default primary key valueequivalent to passing force_insert=True tomodel’s save()
. Attempts to use a new Model
instance to update anexisting row will result in an IntegrityError
.
In order to update an existing model for a specific primary key value, use theupdate_or_create() method orQuerySet.filter(pk=…).update(…)
instead. For example:
>>> MyModel.objects.update_or_create(pk=existing_pk, defaults={"name": "new name"})>>> MyModel.objects.filter(pk=existing_pk).update(name="new name")
Database backend API¶
This section describes changes that may be needed in third-party databasebackends.
- The second argument of
DatabaseIntrospection.get_geometry_type()
is nowthe row description instead of the column name. DatabaseIntrospection.get_field_type()
may no longer return tuples.- If the database can create foreign keys in the same SQL statement that adds afield, add
SchemaEditor.sql_create_column_inline_fk
with the appropriateSQL; otherwise, setDatabaseFeatures.can_create_inline_fk = False
. DatabaseFeatures.can_return_id_from_insert
andcan_return_ids_from_bulk_insert
are renamed tocan_return_columns_from_insert
andcan_return_rows_from_bulk_insert
.- Database functions now handle
datetime.timezone
formats when createdusingdatetime.timedelta
instances (e.g.timezone(timedelta(hours=5))
, which would output'UTC+05:00'
).Third-party backends should handle this format when preparingDateTimeField indatetime_cast_date_sql()
,datetime_extract_sql()
, etc. - Entries for
AutoField
,BigAutoField
, andSmallAutoField
are addedtoDatabaseOperations.integer_field_ranges
to support the integer rangevalidators on these field types. Third-party backends may need to customizethe default entries. DatabaseOperations.fetch_returned_insert_id()
is replaced byfetch_returned_insert_columns()
which returns a list of values returnedby theINSERT … RETURNING
statement, instead of a single value.DatabaseOperations.return_insert_id()
is replaced byreturn_insert_columns()
that accepts afields
argument, which is an iterable of fields to be returned after insert. Usuallythis is only the auto-generated primary key.
django.contrib.admin¶
- Admin’s model history change messages now prefers more readable field labelsinstead of field names.
django.contrib.gis¶
- Support for PostGIS 2.1 is removed.
- Support for SpatiaLite 4.1 and 4.2 is removed.
- Support for GDAL 1.11 and GEOS 3.4 is removed.
Dropped support for PostgreSQL 9.4¶
Upstream support for PostgreSQL 9.4 ends in December 2019. Django 3.0 supportsPostgreSQL 9.5 and higher.
Dropped support for Oracle 12.1¶
Upstream support for Oracle 12.1 ends in July 2021. Django 2.2 will besupported until April 2022. Django 3.0 officially supports Oracle 12.2 and 18c.
Removed private Python 2 compatibility APIs¶
While Python 2 support was removed in Django 2.0, some private APIs weren’tremoved from Django so that third party apps could continue using them untilthe Python 2 end-of-life.
Since we expect apps to drop Python 2 compatibility when adding support forDjango 3.0, we’re removing these APIs at this time.
django.test.utils.str_prefix()
- Strings don’t have ‘u’ prefixes inPython 3.django.test.utils.patch_logger()
- Useunittest.TestCase.assertLogs()
instead.django.utils.lru_cache.lru_cache()
- Alias offunctools.lru_cache()
.django.utils.decorators.available_attrs()
- This function returnsfunctools.WRAPPER_ASSIGNMENTS
.django.utils.decorators.ContextDecorator
- Alias ofcontextlib.ContextDecorator
.django.utils._os.abspathu()
- Alias ofos.path.abspath()
.django.utils._os.upath()
andnpath()
- These functions do nothing onPython 3.django.utils.six
- Remove usage of this vendored library or switch tosix.django.utils.encoding.python_2_unicode_compatible()
- Alias ofsix.python_2_unicode_compatible()
.django.utils.functional.curry()
- Usefunctools.partial()
orfunctools.partialmethod
. See5b1c389603a353625ae1603ba345147356336afb.django.utils.safestring.SafeBytes
- Unused since Django 2.0.
New default value for the FILE_UPLOAD_PERMISSIONS
setting¶
In older versions, the FILE_UPLOAD_PERMISSIONS setting defaults toNone
. With the default FILE_UPLOAD_HANDLERS, this results inuploaded files having different permissions depending on their size and whichupload handler is used.
FILE_UPLOAD_PERMISSIONS
now defaults to 0o644
to avoid thisinconsistency.
New default values for security settings¶
To make Django projects more secure by default, some security settings now havemore secure default values:
- X_FRAME_OPTIONS now defaults to
'DENY'
. - SECURE_CONTENT_TYPE_NOSNIFF now defaults to
True
.
See the What’s New Security section above formore details on these changes.
Miscellaneous¶
ContentType.__str__()
now includes the model’sapp_label
todisambiguate models with the same name in different apps.- Because accessing the language in the session rather than in the cookie isdeprecated,
LocaleMiddleware
no longer looks for the user’s language inthe session and django.contrib.auth.logout() no longer preserves thesession’s language after logout. - django.utils.html.escape() now uses
html.escape()
to escape HTML.This converts'
to'
instead of the previous equivalent decimalcode'
. - The
django-admin test -k
option now works as theunittest-k
option rather than as a shortcut for--keepdb
. - Support for
pywatchman
< 1.2.0 is removed. - urlencode() now encodes iterable values as they arewhen
doseq=False
, rather than iterating them, bringing it into line withthe standard libraryurllib.parse.urlencode()
function. intword
template filter now translates1.0
as a singular phrase andall other numeric values as plural. This may be incorrect for some languages.- Assigning a value to a model’s ForeignKey orOneToOneField
'_id'
attribute now unsets thecorresponding field. Accessing the field afterward will result in a query. - patch_vary_headers() now handles an asterisk
'*'
according to RFC 7231#section-7.1.4, i.e. if a list of headerfield names contains an asterisk, then theVary
header will consist of asingle asterisk'*'
. - On MySQL 8.0.16+,
PositiveIntegerField
andPositiveSmallIntegerField
now include a check constraint to prevent negative values in the database. alias=None
is added to the signature ofExpression.get_group_by_cols().RegexPattern
, used by re_path(), no longer returnskeyword arguments withNone
values to be passed to the view for theoptional named groups that are missing.
Features deprecated in 3.0¶
django.utils.encoding.force_text()
and smart_text()
¶
The smart_text()
and force_text()
aliases (since Django 2.0) ofsmart_str()
and force_str()
are deprecated. Ignore this deprecation ifyour code supports Python 2 as the behavior of smart_str()
andforce_str()
is different there.
Miscellaneous¶
django.utils.http.urlquote()
,urlquote_plus()
,urlunquote()
, andurlunquote_plus()
are deprecated in favor of the functions that they’realiases for:urllib.parse.quote()
,quote_plus()
,unquote()
, andunquote_plus()
.django.utils.translation.ugettext()
,ugettext_lazy()
,ugettext_noop()
,ungettext()
, andungettext_lazy()
are deprecatedin favor of the functions that they’re aliases for:django.utils.translation.gettext(),gettext_lazy(),gettext_noop(),ngettext(), andngettext_lazy().- To limit creation of sessions and hence favor some caching strategies,django.views.i18n.set_language() will stop setting the user’s languagein the session in Django 4.0. Since Django 2.1, the language is always storedin the LANGUAGE_COOKIE_NAME cookie.
django.utils.text.unescape_entities()
is deprecated in favor ofhtml.unescape()
. Note that unlikeunescape_entities()
,html.unescape()
evaluates lazy strings immediately.- To avoid possible confusion as to effective scope, the private internalutility
is_safe_url()
is renamed tourl_has_allowed_host_and_scheme()
. That a URL has an allowed host andscheme doesn’t in general imply that it’s “safe”. It may still be quotedincorrectly, for example. Ensure to also useiri_to_uri() on the path component of untrustedURLs.
Features removed in 3.0¶
These features have reached the end of their deprecation cycle and are removedin Django 3.0.
See Features deprecated in 2.0 for details on these changes, including howto remove usage of these features.
- The
django.db.backends.postgresql_psycopg2
module is removed. django.shortcuts.render_to_response()
is removed.- The
DEFAULT_CONTENT_TYPE
setting is removed. HttpRequest.xreadlines()
is removed.- Support for the
context
argument ofField.from_db_value()
andExpression.convert_value()
is removed. - The
field_name
keyword argument ofQuerySet.earliest()
andlatest()
is removed.
See Features deprecated in 2.1 for details on these changes, including howto remove usage of these features.
- The
ForceRHR
GIS function is removed. django.utils.http.cookie_date()
is removed.- The
staticfiles
andadmin_static
template tag libraries are removed. django.contrib.staticfiles.templatetags.staticfiles.static()
is removed.