diff options
| author | Tom Christie | 2014-01-15 14:43:34 +0000 |
|---|---|---|
| committer | Tom Christie | 2014-01-15 14:43:34 +0000 |
| commit | 39ca11c6626aa08095af2604a8d4b708e493514c (patch) | |
| tree | 0802f9e92456d53b08ef63faf34b47efa70d11b6 /topics | |
| parent | a84706147678c69fc797af0948940ad0a7d7d785 (diff) | |
| download | django-rest-framework-39ca11c6626aa08095af2604a8d4b708e493514c.tar.bz2 | |
Latest docs build
Diffstat (limited to 'topics')
| -rw-r--r-- | topics/release-notes.html | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/topics/release-notes.html b/topics/release-notes.html index e6797a76..91ed440e 100644 --- a/topics/release-notes.html +++ b/topics/release-notes.html @@ -225,6 +225,12 @@ </code></pre> <hr /> <h2 id="23x-series">2.3.x series</h2> +<h3 id="2312">2.3.12</h3> +<p><strong>Date</strong>: 15th January 2014</p> +<ul> +<li><strong>Security fix</strong>: <code>OrderingField</code> now only allows ordering on readable serializer fields, or on fields explicitly specified using <code>ordering_fields</code>. This prevents users being able to order by fields that are not visible in the API, and exploiting the ordering of sensitive data such as password hashes.</li> +<li>Bugfix: <code>write_only = True</code> fields now display in the browsable API.</li> +</ul> <h3 id="2311">2.3.11</h3> <p><strong>Date</strong>: 14th January 2014</p> <ul> |