------
.. warning::
This is a security fix release. We recommend everyone update.
Security fixes
^^^^^^^^^^^^^^
- Fixed SQL injection issue in MySQL
- Fixed SQL injection issues in MySQL when using ``contains``, ``starts_with`` or ``ends_with`` filters (and their case-insensitive counterparts)
- Fixed malformed SQL for PostgreSQL and SQLite when using ``contains``, ``starts_with`` or ``ends_with`` filters (and their case-insensitive counterparts)
Other changes
^^^^^^^^^^^^^
* Added support for partial models:
To create a partial model, one can do a ``.only(<fieldnames-as-strings>)`` as part of the QuerySet.
This will create model instances that only have those values fetched.
Persisting changes on the model is allowed only when:
* All the fields you want to update is specified in ``<model>.save(update_fields=[...])``
* You included the Model primary key in the ``.only(...)``
To protect against common mistakes we ensure that errors get raised:
* If you access a field that is not specified, you will get an ``AttributeError``.
* If you do a ``<model>.save()`` a ``IncompleteInstanceError`` will be raised as the model is, as requested, incomplete.
* If you do a ``<model>.save(update_fields=[...])`` and you didn't include the primary key in the ``.only(...)``,
then ``IncompleteInstanceError`` will be raised indicating that updates can't be done without the primary key being known.
* If you do a ``<model>.save(update_fields=[...])`` and one of the fields in ``update_fields`` was not in the ``.only(...)``,
then ``IncompleteInstanceError`` as that field is not available to be updated.
- Fixed bad SQL generation when doing a ``.values()`` query over a Foreign Key
- Added `<model>.update_from_dict({...})` that will mass update values safely from a dictionary
- Fixed processing URL encoded password in connection string