Control: tags 775375 + patch
Control: tags 775375 + pending

Dear maintainer,

I've prepared an NMU for python-django (versioned as 1.7.1-1.1) and
I'll do some more testing of it before uploading it, likely to Delayed-2
or possibly 4.

Regards.
diff -Nru python-django-1.7.1/debian/changelog python-django-1.7.1/debian/changelog
--- python-django-1.7.1/debian/changelog	2014-10-27 15:57:12.000000000 +0000
+++ python-django-1.7.1/debian/changelog	2015-01-16 23:22:26.000000000 +0000
@@ -1,3 +1,18 @@
+python-django (1.7.1-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix CVE-2015-0219 - WSGI header spoofing via underscore/dash
+    conflation
+  * Fix CVE-2015-0220 - Mitigated possible XSS attack via
+    user-supplied redirect URLs.
+  * Fix CVE-2015-0221 - Denial-of-service attack against
+    django.views.static.serve
+  * Fix CVE-2015-0222 - Database denial-of-service with 
+    ModelMultipleChoiceField
+    (Closes: #775375)
+
+ -- Neil Williams <codeh...@debian.org>  Fri, 16 Jan 2015 23:05:55 +0000
+
 python-django (1.7.1-1) unstable; urgency=medium
 
   [ Raphaƫl Hertzog ]
diff -Nru python-django-1.7.1/debian/patches/header-underscore.diff python-django-1.7.1/debian/patches/header-underscore.diff
--- python-django-1.7.1/debian/patches/header-underscore.diff	1970-01-01 01:00:00.000000000 +0100
+++ python-django-1.7.1/debian/patches/header-underscore.diff	2015-01-16 23:10:56.000000000 +0000
@@ -0,0 +1,128 @@
+Description: WSGI header spoofing via underscore/dash conflation
+ This issue has been assigned the CVE identifier CVE-2015-0219.
+ [PATCH] [1.7.x] Stripped headers containing underscores to prevent
+ spoofing in WSGI environ.
+ .
+ Thanks to Jedediah Smith for the report.
+ .
+---
+
+Author: Neil Williams <codeh...@debian.org>
+Bug-Debian: https://bugs.debian.org/775375
+Origin: upstream, https://github.com/django/django/commit/41b4bc73ee0da7b2e09f4af47fc1fd21144c710f.patch
+
+--- python-django-1.7.1.orig/django/core/servers/basehttp.py
++++ python-django-1.7.1/django/core/servers/basehttp.py
+@@ -155,6 +155,17 @@ class WSGIRequestHandler(simple_server.W
+ 
+         sys.stderr.write(msg)
+ 
++    def get_environ(self):
++        # Strip all headers with underscores in the name before constructing
++        # the WSGI environ. This prevents header-spoofing based on ambiguity
++        # between underscores and dashes both normalized to underscores in WSGI
++        # env vars. Nginx and Apache 2.4+ both do this as well.
++        for k, v in self.headers.items():
++            if '_' in k:
++                del self.headers[k]
++
++        return super(WSGIRequestHandler, self).get_environ()
++
+ 
+ def run(addr, port, wsgi_handler, ipv6=False, threading=False):
+     server_address = (addr, port)
+--- python-django-1.7.1.orig/docs/howto/auth-remote-user.txt
++++ python-django-1.7.1/docs/howto/auth-remote-user.txt
+@@ -64,6 +64,22 @@ If your authentication mechanism uses a
+     class CustomHeaderMiddleware(RemoteUserMiddleware):
+         header = 'HTTP_AUTHUSER'
+ 
++.. warning::
++
++    Be very careful if using a ``RemoteUserMiddleware`` subclass with a custom
++    HTTP header. You must be sure that your front-end web server always sets or
++    strips that header based on the appropriate authentication checks, never
++    permitting an end-user to submit a fake (or "spoofed") header value. Since
++    the HTTP headers ``X-Auth-User`` and ``X-Auth_User`` (for example) both
++    normalize to the ``HTTP_X_AUTH_USER`` key in ``request.META``, you must
++    also check that your web server doesn't allow a spoofed header using
++    underscores in place of dashes.
++
++    This warning doesn't apply to ``RemoteUserMiddleware`` in its default
++    configuration with ``header = 'REMOTE_USER'``, since a key that doesn't
++    start with ``HTTP_`` in ``request.META`` can only be set by your WSGI
++    server, not directly from an HTTP request header.
++
+ If you need more control, you can create your own authentication backend
+ that inherits from :class:`~django.contrib.auth.backends.RemoteUserBackend` and
+ override one or more of its attributes and methods.
+--- /dev/null
++++ python-django-1.7.1/tests/servers/test_basehttp.py
+@@ -0,0 +1,67 @@
++import sys
++
++from django.core.servers.basehttp import WSGIRequestHandler
++from django.test import TestCase
++from django.utils.six import BytesIO, StringIO
++
++
++class Stub(object):
++    def __init__(self, **kwargs):
++        self.__dict__.update(kwargs)
++
++
++class WSGIRequestHandlerTestCase(TestCase):
++
++    def test_strips_underscore_headers(self):
++        """WSGIRequestHandler ignores headers containing underscores.
++
++        This follows the lead of nginx and Apache 2.4, and is to avoid
++        ambiguity between dashes and underscores in mapping to WSGI environ,
++        which can have security implications.
++        """
++        def test_app(environ, start_response):
++            """A WSGI app that just reflects its HTTP environ."""
++            start_response('200 OK', [])
++            http_environ_items = sorted(
++                '%s:%s' % (k, v) for k, v in environ.items()
++                if k.startswith('HTTP_')
++            )
++            yield (','.join(http_environ_items)).encode('utf-8')
++
++        rfile = BytesIO()
++        rfile.write(b"GET / HTTP/1.0\r\n")
++        rfile.write(b"Some-Header: good\r\n")
++        rfile.write(b"Some_Header: bad\r\n")
++        rfile.write(b"Other_Header: bad\r\n")
++        rfile.seek(0)
++
++        # WSGIRequestHandler closes the output file; we need to make this a
++        # no-op so we can still read its contents.
++        class UnclosableBytesIO(BytesIO):
++            def close(self):
++                pass
++
++        wfile = UnclosableBytesIO()
++
++        def makefile(mode, *a, **kw):
++            if mode == 'rb':
++                return rfile
++            elif mode == 'wb':
++                return wfile
++
++        request = Stub(makefile=makefile)
++        server = Stub(base_environ={}, get_app=lambda: test_app)
++
++        # We don't need to check stderr, but we don't want it in test output
++        old_stderr = sys.stderr
++        sys.stderr = StringIO()
++        try:
++            # instantiating a handler runs the request as side effect
++            WSGIRequestHandler(request, '192.168.0.2', server)
++        finally:
++            sys.stderr = old_stderr
++
++        wfile.seek(0)
++        body = list(wfile.readlines())[-1]
++
++        self.assertEqual(body, b'HTTP_SOME_HEADER:good')
diff -Nru python-django-1.7.1/debian/patches/leading-whitespace-is_safe_url.diff python-django-1.7.1/debian/patches/leading-whitespace-is_safe_url.diff
--- python-django-1.7.1/debian/patches/leading-whitespace-is_safe_url.diff	1970-01-01 01:00:00.000000000 +0100
+++ python-django-1.7.1/debian/patches/leading-whitespace-is_safe_url.diff	2015-01-16 23:10:07.000000000 +0000
@@ -0,0 +1,31 @@
+Description: Fixed is_safe_url() to handle leading whitespace.
+ This issue has been assigned the CVE identifier CVE-2015-0220.
+
+Author: Neil Williams <codeh...@debian.org>
+Bug-Debian: https://bugs.debian.org/775375
+Origin: upstream, https://github.com/django/django/commit/de67dedc771ad2edec15c1d00c083a1a084e1e89.patch 
+
+---
+
+--- python-django-1.7.1.orig/django/utils/http.py
++++ python-django-1.7.1/django/utils/http.py
+@@ -272,6 +272,7 @@ def is_safe_url(url, host=None):
+     """
+     if not url:
+         return False
++    url = url.strip()
+     # Chrome treats \ completely as /
+     url = url.replace('\\', '/')
+     # Chrome considers any URL with more than two slashes to be absolute, but
+--- python-django-1.7.1.orig/tests/utils_tests/test_http.py
++++ python-django-1.7.1/tests/utils_tests/test_http.py
+@@ -107,7 +107,8 @@ class TestUtilsHttp(unittest.TestCase):
+                         'http:/\//example.com',
+                         'http:\/example.com',
+                         'http:/\example.com',
+-                        'javascript:alert("XSS")'):
++                        'javascript:alert("XSS")',
++                        '\njavascript:alert(x)'):
+             self.assertFalse(http.is_safe_url(bad_url, host='testserver'), "%s should be blocked" % bad_url)
+         for good_url in ('/view/?param=http://example.com',
+                      '/view/?param=https://example.com',
diff -Nru python-django-1.7.1/debian/patches/longline.diff python-django-1.7.1/debian/patches/longline.diff
--- python-django-1.7.1/debian/patches/longline.diff	1970-01-01 01:00:00.000000000 +0100
+++ python-django-1.7.1/debian/patches/longline.diff	2015-01-16 23:18:01.000000000 +0000
@@ -0,0 +1,62 @@
+Description: large memory on large files fix.
+ Prevented views.static.serve() from using large
+ memory on large files.
+ This issue has been assigned the CVE identifier CVE-2015-0221.
+
+Author: Neil Williams <codeh...@debian.org>
+Bug-Debian: https://bugs.debian.org/775375
+Origin: upstream, https://github.com/django/django/commit/818e59a3f0fbadf6c447754d202d88df025f8f2a.patch
+
+---
+
+--- python-django-1.7.1.orig/django/views/static.py
++++ python-django-1.7.1/django/views/static.py
+@@ -17,6 +17,8 @@ from django.utils.http import http_date,
+ from django.utils.six.moves.urllib.parse import unquote
+ from django.utils.translation import ugettext as _, ugettext_lazy
+ 
++STREAM_CHUNK_SIZE = 4096
++
+ 
+ def serve(request, path, document_root=None, show_indexes=False):
+     """
+@@ -61,7 +63,8 @@ def serve(request, path, document_root=N
+         return HttpResponseNotModified()
+     content_type, encoding = mimetypes.guess_type(fullpath)
+     content_type = content_type or 'application/octet-stream'
+-    response = StreamingHttpResponse(open(fullpath, 'rb'),
++    f = open(fullpath, 'rb')
++    response = StreamingHttpResponse(iter(lambda: f.read(STREAM_CHUNK_SIZE), b''),
+                                      content_type=content_type)
+     response["Last-Modified"] = http_date(statobj.st_mtime)
+     if stat.S_ISREG(statobj.st_mode):
+--- /dev/null
++++ python-django-1.7.1/tests/view_tests/media/long-line.txt
+@@ -0,0 +1 @@
++lorem ipsum dolor sit amet consectetur adipisicing elit sed do eiusmod tempor incididunt ut labore et dolore magna aliqua hic tempora est veritatis culpa fugiat doloribus fugit in sed harum veniam porro eveniet maxime labore assumenda non illum possimus aut vero laudantium cum magni numquam dolorem explicabo quidem quasi nesciunt ipsum deleniti facilis neque similique nisi ad magnam accusamus quae provident dolor ab atque modi laboriosam fuga suscipit ea beatae ipsam consequatur saepe dolore nulla error quo iusto expedita nemo commodi aspernatur aliquam enim reiciendis rerum necessitatibus recusandae sint amet placeat temporibus autem iste deserunt esse dolores reprehenderit doloremque pariatur velit maiores repellat dignissimos asperiores aperiam alias a corporis id praesentium voluptatibus soluta voluptatem sit molestiae quas odio facere nostrum laborum incidunt eaque nihil ullam rem mollitia at cumque iure tenetur tempore totam repudiandae quisquam quod architecto officia vitae consectetur cupiditate molestias delectus voluptates earum et impedit quibusdam odit sequi perferendis eius perspiciatis eos quam quaerat officiis sunt ratione consequuntur quia quis obcaecati repellendus exercitationem vel minima libero blanditiis eligendi minus dicta voluptas excepturi nam eum inventore voluptatum ducimus sapiente dolorum itaque ipsa qui omnis debitis voluptate quos aliquid accusantium ex illo corrupti ut adipisci natus animi distinctio optio nobis unde similique excepturi vero culpa molestias fugit dolorum non amet iure inventore nihil suscipit explicabo veritatis officiis distinctio nesciunt saepe incidunt reprehenderit porro vitae cumque alias ut deleniti expedita ratione odio magnam eligendi a nostrum laborum minus esse sit libero quaerat qui id illo voluptates soluta neque odit dolore consectetur ducimus nulla est nisi impedit quia sapiente ullam temporibus ipsam repudiandae delectus fugiat blanditiis maxime voluptatibus aspernatur ea ipsum quisquam sunt eius ipsa accusantium enim corporis earum sed sequi dicta accusamus dignissimos illum pariatur quos aut reiciendis obcaecati perspiciatis consequuntur nam modi praesentium cum repellat possimus iste atque quidem architecto recusandae harum eaque sint quae optio voluptate quod quasi beatae magni necessitatibus facilis aperiam repellendus nemo aliquam et quibusdam debitis itaque cupiditate laboriosam unde tempora commodi laudantium in placeat ad vel maiores aliquid hic tempore provident quas officia adipisci rem corrupti iusto natus eum rerum at ex quam eveniet totam dolor assumenda error eos doloribus labore fuga facere deserunt ab dolores consequatur veniam animi exercitationem asperiores mollitia minima numquam voluptatem voluptatum nobis molestiae voluptas omnis velit quis quo tenetur perferendis autem dolorem doloremque sequi vitae laudantium magnam quae adipisci expedita doloribus minus perferendis vero animi at quos iure facere nihil veritatis consectetur similique porro tenetur nobis fugiat quo ducimus qui soluta maxime placeat error sunt ullam quaerat provident eos minima ab harum ratione inventore unde sint dolorum deserunt veniam laborum quasi suscipit facilis eveniet voluptatibus est ipsum sapiente omnis vel repellat perspiciatis illo voluptate aliquid magni alias modi odit ea a voluptatem reiciendis recusandae mollitia eius distinctio amet atque voluptates obcaecati deleniti eligendi commodi debitis dolore laboriosam nam illum pariatur earum exercitationem velit in quas explicabo fugit asperiores itaque quam sit dolorem beatae quod cumque necessitatibus tempora dolores hic aperiam ex tempore ut neque maiores ad dicta voluptatum eum officia assumenda reprehenderit nisi cum molestiae et iusto quidem consequuntur repellendus saepe corrupti numquam culpa rerum incidunt dolor impedit iste sed non praesentium ipsam consequatur eaque possimus quia quibusdam excepturi aspernatur voluptas quisquam autem molestias aliquam corporis delectus nostrum labore nesciunt blanditiis quis enim accusamus nulla architecto fuga natus ipsa repudiandae cupiditate temporibus aut libero optio id officiis esse dignissimos odio totam doloremque accusantium nemo rem repudiandae aliquam accusamus autem minima reiciendis debitis quis ut ducimus quas dolore ratione neque velit repellat natus est error ea nam consequuntur rerum excepturi aspernatur quaerat cumque voluptatibus rem quasi eos unde architecto animi sunt veritatis delectus nulla at iusto repellendus dolorum obcaecati commodi earum assumenda quisquam cum officiis modi ab tempora harum vitae voluptatem explicabo alias maxime nostrum iure consectetur incidunt laudantium distinctio deleniti iste facere fugit libero illo nobis expedita perferendis labore similique beatae sint dicta dignissimos sapiente dolor soluta perspiciatis aut ad illum facilis totam necessitatibus eveniet temporibus reprehenderit quidem fugiat magni dolorem doloribus quibusdam eligendi fuga quae recusandae eum amet dolores asperiores voluptas inventore officia sit vel id vero nihil optio nisi magnam deserunt odit corrupti adipisci aliquid odio enim pariatur cupiditate suscipit voluptatum corporis porro mollitia eaque quia non quod consequatur ipsa nesciunt itaque exercitationem molestias molestiae atque in numquam quo ipsam nemo ex tempore ipsum saepe esse sed veniam a voluptates placeat accusantium quos laboriosam voluptate provident hic sequi quam doloremque eius impedit omnis possimus laborum tenetur praesentium et minus ullam blanditiis culpa qui aperiam maiores quidem numquam nulla
+--- python-django-1.7.1.orig/tests/view_tests/tests/test_static.py
++++ python-django-1.7.1/tests/view_tests/tests/test_static.py
+@@ -8,7 +8,7 @@ from django.conf.urls.static import stat
+ from django.http import HttpResponseNotModified
+ from django.test import SimpleTestCase, override_settings
+ from django.utils.http import http_date
+-from django.views.static import was_modified_since
++from django.views.static import was_modified_since, STREAM_CHUNK_SIZE
+ 
+ from .. import urls
+ from ..urls import media_dir
+@@ -33,6 +33,14 @@ class StaticTests(SimpleTestCase):
+             self.assertEqual(len(response_content), int(response['Content-Length']))
+             self.assertEqual(mimetypes.guess_type(file_path)[1], response.get('Content-Encoding', None))
+ 
++    def test_chunked(self):
++        "The static view should stream files in chunks to avoid large memory usage"
++        response = self.client.get('/%s/%s' % (self.prefix, 'long-line.txt'))
++        first_chunk = next(response.streaming_content)
++        self.assertEqual(len(first_chunk), STREAM_CHUNK_SIZE)
++        second_chunk = next(response.streaming_content)
++        self.assertEqual(len(second_chunk), 1451)
++
+     def test_unknown_mime_type(self):
+         response = self.client.get('/%s/file.unknown' % self.prefix)
+         self.assertEqual('application/octet-stream', response['Content-Type'])
diff -Nru python-django-1.7.1/debian/patches/model-multiple-choice.diff python-django-1.7.1/debian/patches/model-multiple-choice.diff
--- python-django-1.7.1/debian/patches/model-multiple-choice.diff	1970-01-01 01:00:00.000000000 +0100
+++ python-django-1.7.1/debian/patches/model-multiple-choice.diff	2015-01-16 23:20:16.000000000 +0000
@@ -0,0 +1,1376 @@
+Description: Fix DoS possibility in ModelMultipleChoiceField.
+ This issue has been assigned the CVE identifier CVE-2015-0222.
+
+Author: Neil Williams <codeh...@debian.org>
+Bug-Debian: https://bugs.debian.org/775375
+Origin: upstream, https://github.com/django/django/commit/bcfb47780ce7caecb409a9e9c1c314266e41d392.patch
+---
+
+--- python-django-1.7.1.orig/django/forms/models.py
++++ python-django-1.7.1/django/forms/models.py
+@@ -1212,8 +1212,7 @@ class ModelMultipleChoiceField(ModelChoi
+     def to_python(self, value):
+         if not value:
+             return []
+-        to_py = super(ModelMultipleChoiceField, self).to_python
+-        return [to_py(val) for val in value]
++        return list(self._check_values(value))
+ 
+     def clean(self, value):
+         if self.required and not value:
+@@ -1222,7 +1221,29 @@ class ModelMultipleChoiceField(ModelChoi
+             return self.queryset.none()
+         if not isinstance(value, (list, tuple)):
+             raise ValidationError(self.error_messages['list'], code='list')
++        qs = self._check_values(value)
++        # Since this overrides the inherited ModelChoiceField.clean
++        # we run custom validators here
++        self.run_validators(value)
++        return qs
++
++    def _check_values(self, value):
++        """
++        Given a list of possible PK values, returns a QuerySet of the
++        corresponding objects. Raises a ValidationError if a given value is
++        invalid (not a valid PK, not in the queryset, etc.)
++        """
+         key = self.to_field_name or 'pk'
++        # deduplicate given values to avoid creating many querysets or
++        # requiring the database backend deduplicate efficiently.
++        try:
++            value = frozenset(value)
++        except TypeError:
++            # list of lists isn't hashable, for example
++            raise ValidationError(
++                self.error_messages['list'],
++                code='list',
++            )
+         for pk in value:
+             try:
+                 self.queryset.filter(**{key: pk})
+@@ -1241,9 +1262,6 @@ class ModelMultipleChoiceField(ModelChoi
+                     code='invalid_choice',
+                     params={'value': val},
+                 )
+-        # Since this overrides the inherited ModelChoiceField.clean
+-        # we run custom validators here
+-        self.run_validators(value)
+         return qs
+ 
+     def prepare_value(self, value):
+--- /dev/null
++++ python-django-1.7.1/django/forms/models.py.orig
+@@ -0,0 +1,1273 @@
++"""
++Helper functions for creating Form classes from Django models
++and database field objects.
++"""
++
++from __future__ import unicode_literals
++
++from collections import OrderedDict
++import warnings
++
++from django.core.exceptions import (
++    ValidationError, NON_FIELD_ERRORS, FieldError)
++from django.forms.fields import Field, ChoiceField
++from django.forms.forms import DeclarativeFieldsMetaclass, BaseForm
++from django.forms.formsets import BaseFormSet, formset_factory
++from django.forms.utils import ErrorList
++from django.forms.widgets import (SelectMultiple, HiddenInput,
++    MultipleHiddenInput, CheckboxSelectMultiple)
++from django.utils import six
++from django.utils.deprecation import RemovedInDjango18Warning
++from django.utils.encoding import smart_text, force_text
++from django.utils.text import get_text_list, capfirst
++from django.utils.translation import ugettext_lazy as _, ugettext, string_concat
++
++
++__all__ = (
++    'ModelForm', 'BaseModelForm', 'model_to_dict', 'fields_for_model',
++    'save_instance', 'ModelChoiceField', 'ModelMultipleChoiceField',
++    'ALL_FIELDS', 'BaseModelFormSet', 'modelformset_factory',
++    'BaseInlineFormSet', 'inlineformset_factory',
++)
++
++ALL_FIELDS = '__all__'
++
++
++def construct_instance(form, instance, fields=None, exclude=None):
++    """
++    Constructs and returns a model instance from the bound ``form``'s
++    ``cleaned_data``, but does not save the returned instance to the
++    database.
++    """
++    from django.db import models
++    opts = instance._meta
++
++    cleaned_data = form.cleaned_data
++    file_field_list = []
++    for f in opts.fields:
++        if not f.editable or isinstance(f, models.AutoField) \
++                or f.name not in cleaned_data:
++            continue
++        if fields is not None and f.name not in fields:
++            continue
++        if exclude and f.name in exclude:
++            continue
++        # Defer saving file-type fields until after the other fields, so a
++        # callable upload_to can use the values from other fields.
++        if isinstance(f, models.FileField):
++            file_field_list.append(f)
++        else:
++            f.save_form_data(instance, cleaned_data[f.name])
++
++    for f in file_field_list:
++        f.save_form_data(instance, cleaned_data[f.name])
++
++    return instance
++
++
++def save_instance(form, instance, fields=None, fail_message='saved',
++                  commit=True, exclude=None, construct=True):
++    """
++    Saves bound Form ``form``'s cleaned_data into model instance ``instance``.
++
++    If commit=True, then the changes to ``instance`` will be saved to the
++    database. Returns ``instance``.
++
++    If construct=False, assume ``instance`` has already been constructed and
++    just needs to be saved.
++    """
++    if construct:
++        instance = construct_instance(form, instance, fields, exclude)
++    opts = instance._meta
++    if form.errors:
++        raise ValueError("The %s could not be %s because the data didn't"
++                         " validate." % (opts.object_name, fail_message))
++
++    # Wrap up the saving of m2m data as a function.
++    def save_m2m():
++        cleaned_data = form.cleaned_data
++        # Note that for historical reasons we want to include also
++        # virtual_fields here. (GenericRelation was previously a fake
++        # m2m field).
++        for f in opts.many_to_many + opts.virtual_fields:
++            if not hasattr(f, 'save_form_data'):
++                continue
++            if fields and f.name not in fields:
++                continue
++            if exclude and f.name in exclude:
++                continue
++            if f.name in cleaned_data:
++                f.save_form_data(instance, cleaned_data[f.name])
++    if commit:
++        # If we are committing, save the instance and the m2m data immediately.
++        instance.save()
++        save_m2m()
++    else:
++        # We're not committing. Add a method to the form to allow deferred
++        # saving of m2m data.
++        form.save_m2m = save_m2m
++    return instance
++
++
++# ModelForms #################################################################
++
++def model_to_dict(instance, fields=None, exclude=None):
++    """
++    Returns a dict containing the data in ``instance`` suitable for passing as
++    a Form's ``initial`` keyword argument.
++
++    ``fields`` is an optional list of field names. If provided, only the named
++    fields will be included in the returned dict.
++
++    ``exclude`` is an optional list of field names. If provided, the named
++    fields will be excluded from the returned dict, even if they are listed in
++    the ``fields`` argument.
++    """
++    # avoid a circular import
++    from django.db.models.fields.related import ManyToManyField
++    opts = instance._meta
++    data = {}
++    for f in opts.concrete_fields + opts.virtual_fields + opts.many_to_many:
++        if not getattr(f, 'editable', False):
++            continue
++        if fields and f.name not in fields:
++            continue
++        if exclude and f.name in exclude:
++            continue
++        if isinstance(f, ManyToManyField):
++            # If the object doesn't have a primary key yet, just use an empty
++            # list for its m2m fields. Calling f.value_from_object will raise
++            # an exception.
++            if instance.pk is None:
++                data[f.name] = []
++            else:
++                # MultipleChoiceWidget needs a list of pks, not object instances.
++                qs = f.value_from_object(instance)
++                if qs._result_cache is not None:
++                    data[f.name] = [item.pk for item in qs]
++                else:
++                    data[f.name] = list(qs.values_list('pk', flat=True))
++        else:
++            data[f.name] = f.value_from_object(instance)
++    return data
++
++
++def fields_for_model(model, fields=None, exclude=None, widgets=None,
++                     formfield_callback=None, localized_fields=None,
++                     labels=None, help_texts=None, error_messages=None):
++    """
++    Returns a ``OrderedDict`` containing form fields for the given model.
++
++    ``fields`` is an optional list of field names. If provided, only the named
++    fields will be included in the returned fields.
++
++    ``exclude`` is an optional list of field names. If provided, the named
++    fields will be excluded from the returned fields, even if they are listed
++    in the ``fields`` argument.
++
++    ``widgets`` is a dictionary of model field names mapped to a widget.
++
++    ``localized_fields`` is a list of names of fields which should be localized.
++
++    ``labels`` is a dictionary of model field names mapped to a label.
++
++    ``help_texts`` is a dictionary of model field names mapped to a help text.
++
++    ``error_messages`` is a dictionary of model field names mapped to a
++    dictionary of error messages.
++
++    ``formfield_callback`` is a callable that takes a model field and returns
++    a form field.
++    """
++    field_list = []
++    ignored = []
++    opts = model._meta
++    # Avoid circular import
++    from django.db.models.fields import Field as ModelField
++    sortable_virtual_fields = [f for f in opts.virtual_fields
++                               if isinstance(f, ModelField)]
++    for f in sorted(opts.concrete_fields + sortable_virtual_fields + opts.many_to_many):
++        if not getattr(f, 'editable', False):
++            continue
++        if fields is not None and f.name not in fields:
++            continue
++        if exclude and f.name in exclude:
++            continue
++
++        kwargs = {}
++        if widgets and f.name in widgets:
++            kwargs['widget'] = widgets[f.name]
++        if localized_fields == ALL_FIELDS or (localized_fields and f.name in localized_fields):
++            kwargs['localize'] = True
++        if labels and f.name in labels:
++            kwargs['label'] = labels[f.name]
++        if help_texts and f.name in help_texts:
++            kwargs['help_text'] = help_texts[f.name]
++        if error_messages and f.name in error_messages:
++            kwargs['error_messages'] = error_messages[f.name]
++
++        if formfield_callback is None:
++            formfield = f.formfield(**kwargs)
++        elif not callable(formfield_callback):
++            raise TypeError('formfield_callback must be a function or callable')
++        else:
++            formfield = formfield_callback(f, **kwargs)
++
++        if formfield:
++            field_list.append((f.name, formfield))
++        else:
++            ignored.append(f.name)
++    field_dict = OrderedDict(field_list)
++    if fields:
++        field_dict = OrderedDict(
++            [(f, field_dict.get(f)) for f in fields
++                if ((not exclude) or (exclude and f not in exclude)) and (f not in ignored)]
++        )
++    return field_dict
++
++
++class ModelFormOptions(object):
++    def __init__(self, options=None):
++        self.model = getattr(options, 'model', None)
++        self.fields = getattr(options, 'fields', None)
++        self.exclude = getattr(options, 'exclude', None)
++        self.widgets = getattr(options, 'widgets', None)
++        self.localized_fields = getattr(options, 'localized_fields', None)
++        self.labels = getattr(options, 'labels', None)
++        self.help_texts = getattr(options, 'help_texts', None)
++        self.error_messages = getattr(options, 'error_messages', None)
++
++
++class ModelFormMetaclass(DeclarativeFieldsMetaclass):
++    def __new__(mcs, name, bases, attrs):
++        formfield_callback = attrs.pop('formfield_callback', None)
++
++        new_class = super(ModelFormMetaclass, mcs).__new__(mcs, name, bases, attrs)
++
++        if bases == (BaseModelForm,):
++            return new_class
++
++        opts = new_class._meta = ModelFormOptions(getattr(new_class, 'Meta', None))
++
++        # We check if a string was passed to `fields` or `exclude`,
++        # which is likely to be a mistake where the user typed ('foo') instead
++        # of ('foo',)
++        for opt in ['fields', 'exclude', 'localized_fields']:
++            value = getattr(opts, opt)
++            if isinstance(value, six.string_types) and value != ALL_FIELDS:
++                msg = ("%(model)s.Meta.%(opt)s cannot be a string. "
++                       "Did you mean to type: ('%(value)s',)?" % {
++                           'model': new_class.__name__,
++                           'opt': opt,
++                           'value': value,
++                       })
++                raise TypeError(msg)
++
++        if opts.model:
++            # If a model is defined, extract form fields from it.
++            if opts.fields is None and opts.exclude is None:
++                # This should be some kind of assertion error once deprecation
++                # cycle is complete.
++                warnings.warn("Creating a ModelForm without either the 'fields' attribute "
++                              "or the 'exclude' attribute is deprecated - form %s "
++                              "needs updating" % name,
++                              RemovedInDjango18Warning, stacklevel=2)
++
++            if opts.fields == ALL_FIELDS:
++                # Sentinel for fields_for_model to indicate "get the list of
++                # fields from the model"
++                opts.fields = None
++
++            fields = fields_for_model(opts.model, opts.fields, opts.exclude,
++                                      opts.widgets, formfield_callback,
++                                      opts.localized_fields, opts.labels,
++                                      opts.help_texts, opts.error_messages)
++
++            # make sure opts.fields doesn't specify an invalid field
++            none_model_fields = [k for k, v in six.iteritems(fields) if not v]
++            missing_fields = (set(none_model_fields) -
++                              set(new_class.declared_fields.keys()))
++            if missing_fields:
++                message = 'Unknown field(s) (%s) specified for %s'
++                message = message % (', '.join(missing_fields),
++                                     opts.model.__name__)
++                raise FieldError(message)
++            # Override default model fields with any custom declared ones
++            # (plus, include all the other declared fields).
++            fields.update(new_class.declared_fields)
++        else:
++            fields = new_class.declared_fields
++
++        new_class.base_fields = fields
++
++        return new_class
++
++
++class BaseModelForm(BaseForm):
++    def __init__(self, data=None, files=None, auto_id='id_%s', prefix=None,
++                 initial=None, error_class=ErrorList, label_suffix=None,
++                 empty_permitted=False, instance=None):
++        opts = self._meta
++        if opts.model is None:
++            raise ValueError('ModelForm has no model class specified.')
++        if instance is None:
++            # if we didn't get an instance, instantiate a new one
++            self.instance = opts.model()
++            object_data = {}
++        else:
++            self.instance = instance
++            object_data = model_to_dict(instance, opts.fields, opts.exclude)
++        # if initial was provided, it should override the values from instance
++        if initial is not None:
++            object_data.update(initial)
++        # self._validate_unique will be set to True by BaseModelForm.clean().
++        # It is False by default so overriding self.clean() and failing to call
++        # super will stop validate_unique from being called.
++        self._validate_unique = False
++        super(BaseModelForm, self).__init__(data, files, auto_id, prefix, object_data,
++                                            error_class, label_suffix, empty_permitted)
++        # Apply ``limit_choices_to`` to each field.
++        for field_name in self.fields:
++            formfield = self.fields[field_name]
++            if hasattr(formfield, 'queryset'):
++                limit_choices_to = formfield.limit_choices_to
++                if limit_choices_to is not None:
++                    if callable(limit_choices_to):
++                        limit_choices_to = limit_choices_to()
++                    formfield.queryset = formfield.queryset.complex_filter(limit_choices_to)
++
++    def _get_validation_exclusions(self):
++        """
++        For backwards-compatibility, several types of fields need to be
++        excluded from model validation. See the following tickets for
++        details: #12507, #12521, #12553
++        """
++        exclude = []
++        # Build up a list of fields that should be excluded from model field
++        # validation and unique checks.
++        for f in self.instance._meta.fields:
++            field = f.name
++            # Exclude fields that aren't on the form. The developer may be
++            # adding these values to the model after form validation.
++            if field not in self.fields:
++                exclude.append(f.name)
++
++            # Don't perform model validation on fields that were defined
++            # manually on the form and excluded via the ModelForm's Meta
++            # class. See #12901.
++            elif self._meta.fields and field not in self._meta.fields:
++                exclude.append(f.name)
++            elif self._meta.exclude and field in self._meta.exclude:
++                exclude.append(f.name)
++
++            # Exclude fields that failed form validation. There's no need for
++            # the model fields to validate them as well.
++            elif field in self._errors.keys():
++                exclude.append(f.name)
++
++            # Exclude empty fields that are not required by the form, if the
++            # underlying model field is required. This keeps the model field
++            # from raising a required error. Note: don't exclude the field from
++            # validation if the model field allows blanks. If it does, the blank
++            # value may be included in a unique check, so cannot be excluded
++            # from validation.
++            else:
++                form_field = self.fields[field]
++                field_value = self.cleaned_data.get(field, None)
++                if not f.blank and not form_field.required and field_value in form_field.empty_values:
++                    exclude.append(f.name)
++        return exclude
++
++    def clean(self):
++        self._validate_unique = True
++        return self.cleaned_data
++
++    def _update_errors(self, errors):
++        # Override any validation error messages defined at the model level
++        # with those defined at the form level.
++        opts = self._meta
++        for field, messages in errors.error_dict.items():
++            if (field == NON_FIELD_ERRORS and opts.error_messages and
++                    NON_FIELD_ERRORS in opts.error_messages):
++                error_messages = opts.error_messages[NON_FIELD_ERRORS]
++            elif field in self.fields:
++                error_messages = self.fields[field].error_messages
++            else:
++                continue
++
++            for message in messages:
++                if (isinstance(message, ValidationError) and
++                        message.code in error_messages):
++                    message.message = error_messages[message.code]
++
++        self.add_error(None, errors)
++
++    def _post_clean(self):
++        opts = self._meta
++        # Update the model instance with self.cleaned_data.
++        self.instance = construct_instance(self, self.instance, opts.fields, opts.exclude)
++
++        exclude = self._get_validation_exclusions()
++
++        # Foreign Keys being used to represent inline relationships
++        # are excluded from basic field value validation. This is for two
++        # reasons: firstly, the value may not be supplied (#12507; the
++        # case of providing new values to the admin); secondly the
++        # object being referred to may not yet fully exist (#12749).
++        # However, these fields *must* be included in uniqueness checks,
++        # so this can't be part of _get_validation_exclusions().
++        for name, field in self.fields.items():
++            if isinstance(field, InlineForeignKeyField):
++                exclude.append(name)
++
++        try:
++            self.instance.full_clean(exclude=exclude, validate_unique=False)
++        except ValidationError as e:
++            self._update_errors(e)
++
++        # Validate uniqueness if needed.
++        if self._validate_unique:
++            self.validate_unique()
++
++    def validate_unique(self):
++        """
++        Calls the instance's validate_unique() method and updates the form's
++        validation errors if any were raised.
++        """
++        exclude = self._get_validation_exclusions()
++        try:
++            self.instance.validate_unique(exclude=exclude)
++        except ValidationError as e:
++            self._update_errors(e)
++
++    def save(self, commit=True):
++        """
++        Saves this ``form``'s cleaned_data into model instance
++        ``self.instance``.
++
++        If commit=True, then the changes to ``instance`` will be saved to the
++        database. Returns ``instance``.
++        """
++        if self.instance.pk is None:
++            fail_message = 'created'
++        else:
++            fail_message = 'changed'
++        return save_instance(self, self.instance, self._meta.fields,
++                             fail_message, commit, self._meta.exclude,
++                             construct=False)
++
++    save.alters_data = True
++
++
++class ModelForm(six.with_metaclass(ModelFormMetaclass, BaseModelForm)):
++    pass
++
++
++def modelform_factory(model, form=ModelForm, fields=None, exclude=None,
++                      formfield_callback=None, widgets=None, localized_fields=None,
++                      labels=None, help_texts=None, error_messages=None):
++    """
++    Returns a ModelForm containing form fields for the given model.
++
++    ``fields`` is an optional list of field names. If provided, only the named
++    fields will be included in the returned fields. If omitted or '__all__',
++    all fields will be used.
++
++    ``exclude`` is an optional list of field names. If provided, the named
++    fields will be excluded from the returned fields, even if they are listed
++    in the ``fields`` argument.
++
++    ``widgets`` is a dictionary of model field names mapped to a widget.
++
++    ``localized_fields`` is a list of names of fields which should be localized.
++
++    ``formfield_callback`` is a callable that takes a model field and returns
++    a form field.
++
++    ``labels`` is a dictionary of model field names mapped to a label.
++
++    ``help_texts`` is a dictionary of model field names mapped to a help text.
++
++    ``error_messages`` is a dictionary of model field names mapped to a
++    dictionary of error messages.
++    """
++    # Create the inner Meta class. FIXME: ideally, we should be able to
++    # construct a ModelForm without creating and passing in a temporary
++    # inner class.
++
++    # Build up a list of attributes that the Meta object will have.
++    attrs = {'model': model}
++    if fields is not None:
++        attrs['fields'] = fields
++    if exclude is not None:
++        attrs['exclude'] = exclude
++    if widgets is not None:
++        attrs['widgets'] = widgets
++    if localized_fields is not None:
++        attrs['localized_fields'] = localized_fields
++    if labels is not None:
++        attrs['labels'] = labels
++    if help_texts is not None:
++        attrs['help_texts'] = help_texts
++    if error_messages is not None:
++        attrs['error_messages'] = error_messages
++
++    # If parent form class already has an inner Meta, the Meta we're
++    # creating needs to inherit from the parent's inner meta.
++    parent = (object,)
++    if hasattr(form, 'Meta'):
++        parent = (form.Meta, object)
++    Meta = type(str('Meta'), parent, attrs)
++
++    # Give this new form class a reasonable name.
++    class_name = model.__name__ + str('Form')
++
++    # Class attributes for the new form class.
++    form_class_attrs = {
++        'Meta': Meta,
++        'formfield_callback': formfield_callback
++    }
++
++    # The ModelFormMetaclass will trigger a similar warning/error, but this will
++    # be difficult to debug for code that needs updating, so we produce the
++    # warning here too.
++    if (getattr(Meta, 'fields', None) is None and
++            getattr(Meta, 'exclude', None) is None):
++        warnings.warn("Calling modelform_factory without defining 'fields' or "
++                      "'exclude' explicitly is deprecated",
++                      RemovedInDjango18Warning, stacklevel=2)
++
++    # Instatiate type(form) in order to use the same metaclass as form.
++    return type(form)(class_name, (form,), form_class_attrs)
++
++
++# ModelFormSets ##############################################################
++
++class BaseModelFormSet(BaseFormSet):
++    """
++    A ``FormSet`` for editing a queryset and/or adding new objects to it.
++    """
++    model = None
++
++    def __init__(self, data=None, files=None, auto_id='id_%s', prefix=None,
++                 queryset=None, **kwargs):
++        self.queryset = queryset
++        self.initial_extra = kwargs.pop('initial', None)
++        defaults = {'data': data, 'files': files, 'auto_id': auto_id, 'prefix': prefix}
++        defaults.update(kwargs)
++        super(BaseModelFormSet, self).__init__(**defaults)
++
++    def initial_form_count(self):
++        """Returns the number of forms that are required in this FormSet."""
++        if not (self.data or self.files):
++            return len(self.get_queryset())
++        return super(BaseModelFormSet, self).initial_form_count()
++
++    def _existing_object(self, pk):
++        if not hasattr(self, '_object_dict'):
++            self._object_dict = dict((o.pk, o) for o in self.get_queryset())
++        return self._object_dict.get(pk)
++
++    def _get_to_python(self, field):
++        """
++        If the field is a related field, fetch the concrete field's (that
++        is, the ultimate pointed-to field's) get_prep_value.
++        """
++        while field.rel is not None:
++            field = field.rel.get_related_field()
++        return field.to_python
++
++    def _construct_form(self, i, **kwargs):
++        if self.is_bound and i < self.initial_form_count():
++            pk_key = "%s-%s" % (self.add_prefix(i), self.model._meta.pk.name)
++            pk = self.data[pk_key]
++            pk_field = self.model._meta.pk
++            to_python = self._get_to_python(pk_field)
++            pk = to_python(pk)
++            kwargs['instance'] = self._existing_object(pk)
++        if i < self.initial_form_count() and 'instance' not in kwargs:
++            kwargs['instance'] = self.get_queryset()[i]
++        if i >= self.initial_form_count() and self.initial_extra:
++            # Set initial values for extra forms
++            try:
++                kwargs['initial'] = self.initial_extra[i - self.initial_form_count()]
++            except IndexError:
++                pass
++        return super(BaseModelFormSet, self)._construct_form(i, **kwargs)
++
++    def get_queryset(self):
++        if not hasattr(self, '_queryset'):
++            if self.queryset is not None:
++                qs = self.queryset
++            else:
++                qs = self.model._default_manager.get_queryset()
++
++            # If the queryset isn't already ordered we need to add an
++            # artificial ordering here to make sure that all formsets
++            # constructed from this queryset have the same form order.
++            if not qs.ordered:
++                qs = qs.order_by(self.model._meta.pk.name)
++
++            # Removed queryset limiting here. As per discussion re: #13023
++            # on django-dev, max_num should not prevent existing
++            # related objects/inlines from being displayed.
++            self._queryset = qs
++        return self._queryset
++
++    def save_new(self, form, commit=True):
++        """Saves and returns a new model instance for the given form."""
++        return form.save(commit=commit)
++
++    def save_existing(self, form, instance, commit=True):
++        """Saves and returns an existing model instance for the given form."""
++        return form.save(commit=commit)
++
++    def save(self, commit=True):
++        """Saves model instances for every form, adding and changing instances
++        as necessary, and returns the list of instances.
++        """
++        if not commit:
++            self.saved_forms = []
++
++            def save_m2m():
++                for form in self.saved_forms:
++                    form.save_m2m()
++            self.save_m2m = save_m2m
++        return self.save_existing_objects(commit) + self.save_new_objects(commit)
++
++    save.alters_data = True
++
++    def clean(self):
++        self.validate_unique()
++
++    def validate_unique(self):
++        # Collect unique_checks and date_checks to run from all the forms.
++        all_unique_checks = set()
++        all_date_checks = set()
++        forms_to_delete = self.deleted_forms
++        valid_forms = [form for form in self.forms if form.is_valid() and form not in forms_to_delete]
++        for form in valid_forms:
++            exclude = form._get_validation_exclusions()
++            unique_checks, date_checks = form.instance._get_unique_checks(exclude=exclude)
++            all_unique_checks = all_unique_checks.union(set(unique_checks))
++            all_date_checks = all_date_checks.union(set(date_checks))
++
++        errors = []
++        # Do each of the unique checks (unique and unique_together)
++        for uclass, unique_check in all_unique_checks:
++            seen_data = set()
++            for form in valid_forms:
++                # get data for each field of each of unique_check
++                row_data = (form.cleaned_data[field]
++                            for field in unique_check if field in form.cleaned_data)
++                # Reduce Model instances to their primary key values
++                row_data = tuple(d._get_pk_val() if hasattr(d, '_get_pk_val') else d
++                                 for d in row_data)
++                if row_data and None not in row_data:
++                    # if we've already seen it then we have a uniqueness failure
++                    if row_data in seen_data:
++                        # poke error messages into the right places and mark
++                        # the form as invalid
++                        errors.append(self.get_unique_error_message(unique_check))
++                        form._errors[NON_FIELD_ERRORS] = self.error_class([self.get_form_error()])
++                        # remove the data from the cleaned_data dict since it was invalid
++                        for field in unique_check:
++                            if field in form.cleaned_data:
++                                del form.cleaned_data[field]
++                    # mark the data as seen
++                    seen_data.add(row_data)
++        # iterate over each of the date checks now
++        for date_check in all_date_checks:
++            seen_data = set()
++            uclass, lookup, field, unique_for = date_check
++            for form in valid_forms:
++                # see if we have data for both fields
++                if (form.cleaned_data and form.cleaned_data[field] is not None
++                        and form.cleaned_data[unique_for] is not None):
++                    # if it's a date lookup we need to get the data for all the fields
++                    if lookup == 'date':
++                        date = form.cleaned_data[unique_for]
++                        date_data = (date.year, date.month, date.day)
++                    # otherwise it's just the attribute on the date/datetime
++                    # object
++                    else:
++                        date_data = (getattr(form.cleaned_data[unique_for], lookup),)
++                    data = (form.cleaned_data[field],) + date_data
++                    # if we've already seen it then we have a uniqueness failure
++                    if data in seen_data:
++                        # poke error messages into the right places and mark
++                        # the form as invalid
++                        errors.append(self.get_date_error_message(date_check))
++                        form._errors[NON_FIELD_ERRORS] = self.error_class([self.get_form_error()])
++                        # remove the data from the cleaned_data dict since it was invalid
++                        del form.cleaned_data[field]
++                    # mark the data as seen
++                    seen_data.add(data)
++
++        if errors:
++            raise ValidationError(errors)
++
++    def get_unique_error_message(self, unique_check):
++        if len(unique_check) == 1:
++            return ugettext("Please correct the duplicate data for %(field)s.") % {
++                "field": unique_check[0],
++            }
++        else:
++            return ugettext("Please correct the duplicate data for %(field)s, "
++                "which must be unique.") % {
++                "field": get_text_list(unique_check, six.text_type(_("and"))),
++            }
++
++    def get_date_error_message(self, date_check):
++        return ugettext("Please correct the duplicate data for %(field_name)s "
++            "which must be unique for the %(lookup)s in %(date_field)s.") % {
++            'field_name': date_check[2],
++            'date_field': date_check[3],
++            'lookup': six.text_type(date_check[1]),
++        }
++
++    def get_form_error(self):
++        return ugettext("Please correct the duplicate values below.")
++
++    def save_existing_objects(self, commit=True):
++        self.changed_objects = []
++        self.deleted_objects = []
++        if not self.initial_forms:
++            return []
++
++        saved_instances = []
++        forms_to_delete = self.deleted_forms
++        for form in self.initial_forms:
++            obj = form.instance
++            if form in forms_to_delete:
++                # If the pk is None, it means that the object can't be
++                # deleted again. Possible reason for this is that the
++                # object was already deleted from the DB. Refs #14877.
++                if obj.pk is None:
++                    continue
++                self.deleted_objects.append(obj)
++                if commit:
++                    obj.delete()
++            elif form.has_changed():
++                self.changed_objects.append((obj, form.changed_data))
++                saved_instances.append(self.save_existing(form, obj, commit=commit))
++                if not commit:
++                    self.saved_forms.append(form)
++        return saved_instances
++
++    def save_new_objects(self, commit=True):
++        self.new_objects = []
++        for form in self.extra_forms:
++            if not form.has_changed():
++                continue
++            # If someone has marked an add form for deletion, don't save the
++            # object.
++            if self.can_delete and self._should_delete_form(form):
++                continue
++            self.new_objects.append(self.save_new(form, commit=commit))
++            if not commit:
++                self.saved_forms.append(form)
++        return self.new_objects
++
++    def add_fields(self, form, index):
++        """Add a hidden field for the object's primary key."""
++        from django.db.models import AutoField, OneToOneField, ForeignKey
++        self._pk_field = pk = self.model._meta.pk
++        # If a pk isn't editable, then it won't be on the form, so we need to
++        # add it here so we can tell which object is which when we get the
++        # data back. Generally, pk.editable should be false, but for some
++        # reason, auto_created pk fields and AutoField's editable attribute is
++        # True, so check for that as well.
++
++        def pk_is_not_editable(pk):
++            return ((not pk.editable) or (pk.auto_created or isinstance(pk, AutoField))
++                or (pk.rel and pk.rel.parent_link and pk_is_not_editable(pk.rel.to._meta.pk)))
++        if pk_is_not_editable(pk) or pk.name not in form.fields:
++            if form.is_bound:
++                pk_value = form.instance.pk
++            else:
++                try:
++                    if index is not None:
++                        pk_value = self.get_queryset()[index].pk
++                    else:
++                        pk_value = None
++                except IndexError:
++                    pk_value = None
++            if isinstance(pk, OneToOneField) or isinstance(pk, ForeignKey):
++                qs = pk.rel.to._default_manager.get_queryset()
++            else:
++                qs = self.model._default_manager.get_queryset()
++            qs = qs.using(form.instance._state.db)
++            if form._meta.widgets:
++                widget = form._meta.widgets.get(self._pk_field.name, HiddenInput)
++            else:
++                widget = HiddenInput
++            form.fields[self._pk_field.name] = ModelChoiceField(qs, initial=pk_value, required=False, widget=widget)
++        super(BaseModelFormSet, self).add_fields(form, index)
++
++
++def modelformset_factory(model, form=ModelForm, formfield_callback=None,
++                         formset=BaseModelFormSet, extra=1, can_delete=False,
++                         can_order=False, max_num=None, fields=None, exclude=None,
++                         widgets=None, validate_max=False, localized_fields=None,
++                         labels=None, help_texts=None, error_messages=None,
++                         min_num=None, validate_min=False):
++    """
++    Returns a FormSet class for the given Django model class.
++    """
++    # modelform_factory will produce the same warning/error, but that will be
++    # difficult to debug for code that needs upgrading, so we produce the
++    # warning here too. This logic is reproducing logic inside
++    # modelform_factory, but it can be removed once the deprecation cycle is
++    # complete, since the validation exception will produce a helpful
++    # stacktrace.
++    meta = getattr(form, 'Meta', None)
++    if meta is None:
++        meta = type(str('Meta'), (object,), {})
++    if (getattr(meta, 'fields', fields) is None and
++            getattr(meta, 'exclude', exclude) is None):
++        warnings.warn("Calling modelformset_factory without defining 'fields' or "
++                      "'exclude' explicitly is deprecated",
++                      RemovedInDjango18Warning, stacklevel=2)
++
++    form = modelform_factory(model, form=form, fields=fields, exclude=exclude,
++                             formfield_callback=formfield_callback,
++                             widgets=widgets, localized_fields=localized_fields,
++                             labels=labels, help_texts=help_texts, error_messages=error_messages)
++    FormSet = formset_factory(form, formset, extra=extra, min_num=min_num, max_num=max_num,
++                              can_order=can_order, can_delete=can_delete,
++                              validate_min=validate_min, validate_max=validate_max)
++    FormSet.model = model
++    return FormSet
++
++
++# InlineFormSets #############################################################
++
++class BaseInlineFormSet(BaseModelFormSet):
++    """A formset for child objects related to a parent."""
++    def __init__(self, data=None, files=None, instance=None,
++                 save_as_new=False, prefix=None, queryset=None, **kwargs):
++        if instance is None:
++            self.instance = self.fk.rel.to()
++        else:
++            self.instance = instance
++        self.save_as_new = save_as_new
++        if queryset is None:
++            queryset = self.model._default_manager
++        if self.instance.pk is not None:
++            qs = queryset.filter(**{self.fk.name: self.instance})
++        else:
++            qs = queryset.none()
++        super(BaseInlineFormSet, self).__init__(data, files, prefix=prefix,
++                                                queryset=qs, **kwargs)
++
++    def initial_form_count(self):
++        if self.save_as_new:
++            return 0
++        return super(BaseInlineFormSet, self).initial_form_count()
++
++    def _construct_form(self, i, **kwargs):
++        form = super(BaseInlineFormSet, self)._construct_form(i, **kwargs)
++        if self.save_as_new:
++            # Remove the primary key from the form's data, we are only
++            # creating new instances
++            form.data[form.add_prefix(self._pk_field.name)] = None
++
++            # Remove the foreign key from the form's data
++            form.data[form.add_prefix(self.fk.name)] = None
++
++        # Set the fk value here so that the form can do its validation.
++        fk_value = self.instance.pk
++        if self.fk.rel.field_name != self.fk.rel.to._meta.pk.name:
++            fk_value = getattr(self.instance, self.fk.rel.field_name)
++            fk_value = getattr(fk_value, 'pk', fk_value)
++        setattr(form.instance, self.fk.get_attname(), fk_value)
++        return form
++
++    @classmethod
++    def get_default_prefix(cls):
++        from django.db.models.fields.related import RelatedObject
++        return RelatedObject(cls.fk.rel.to, cls.model, cls.fk).get_accessor_name().replace('+', '')
++
++    def save_new(self, form, commit=True):
++        # Use commit=False so we can assign the parent key afterwards, then
++        # save the object.
++        obj = form.save(commit=False)
++        pk_value = getattr(self.instance, self.fk.rel.field_name)
++        setattr(obj, self.fk.get_attname(), getattr(pk_value, 'pk', pk_value))
++        if commit:
++            obj.save()
++        # form.save_m2m() can be called via the formset later on if commit=False
++        if commit and hasattr(form, 'save_m2m'):
++            form.save_m2m()
++        return obj
++
++    def add_fields(self, form, index):
++        super(BaseInlineFormSet, self).add_fields(form, index)
++        if self._pk_field == self.fk:
++            name = self._pk_field.name
++            kwargs = {'pk_field': True}
++        else:
++            # The foreign key field might not be on the form, so we poke at the
++            # Model field to get the label, since we need that for error messages.
++            name = self.fk.name
++            kwargs = {
++                'label': getattr(form.fields.get(name), 'label', capfirst(self.fk.verbose_name))
++            }
++            if self.fk.rel.field_name != self.fk.rel.to._meta.pk.name:
++                kwargs['to_field'] = self.fk.rel.field_name
++
++        form.fields[name] = InlineForeignKeyField(self.instance, **kwargs)
++
++        # Add the generated field to form._meta.fields if it's defined to make
++        # sure validation isn't skipped on that field.
++        if form._meta.fields:
++            if isinstance(form._meta.fields, tuple):
++                form._meta.fields = list(form._meta.fields)
++            form._meta.fields.append(self.fk.name)
++
++    def get_unique_error_message(self, unique_check):
++        unique_check = [field for field in unique_check if field != self.fk.name]
++        return super(BaseInlineFormSet, self).get_unique_error_message(unique_check)
++
++
++def _get_foreign_key(parent_model, model, fk_name=None, can_fail=False):
++    """
++    Finds and returns the ForeignKey from model to parent if there is one
++    (returns None if can_fail is True and no such field exists). If fk_name is
++    provided, assume it is the name of the ForeignKey field. Unless can_fail is
++    True, an exception is raised if there is no ForeignKey from model to
++    parent_model.
++    """
++    # avoid circular import
++    from django.db.models import ForeignKey
++    opts = model._meta
++    if fk_name:
++        fks_to_parent = [f for f in opts.fields if f.name == fk_name]
++        if len(fks_to_parent) == 1:
++            fk = fks_to_parent[0]
++            if not isinstance(fk, ForeignKey) or \
++                    (fk.rel.to != parent_model and
++                     fk.rel.to not in parent_model._meta.get_parent_list()):
++                raise ValueError(
++                    "fk_name '%s' is not a ForeignKey to '%s.%s'."
++                    % (fk_name, parent_model._meta.app_label, parent_model._meta.object_name))
++        elif len(fks_to_parent) == 0:
++            raise ValueError(
++                "'%s.%s' has no field named '%s'."
++                % (model._meta.app_label, model._meta.object_name, fk_name))
++    else:
++        # Try to discover what the ForeignKey from model to parent_model is
++        fks_to_parent = [
++            f for f in opts.fields
++            if isinstance(f, ForeignKey)
++            and (f.rel.to == parent_model
++                or f.rel.to in parent_model._meta.get_parent_list())
++        ]
++        if len(fks_to_parent) == 1:
++            fk = fks_to_parent[0]
++        elif len(fks_to_parent) == 0:
++            if can_fail:
++                return
++            raise ValueError(
++                "'%s.%s' has no ForeignKey to '%s.%s'."
++                % (model._meta.app_label, model._meta.object_name, parent_model._meta.app_label, parent_model._meta.object_name))
++        else:
++            raise ValueError(
++                "'%s.%s' has more than one ForeignKey to '%s.%s'."
++                % (model._meta.app_label, model._meta.object_name, parent_model._meta.app_label, parent_model._meta.object_name))
++    return fk
++
++
++def inlineformset_factory(parent_model, model, form=ModelForm,
++                          formset=BaseInlineFormSet, fk_name=None,
++                          fields=None, exclude=None, extra=3, can_order=False,
++                          can_delete=True, max_num=None, formfield_callback=None,
++                          widgets=None, validate_max=False, localized_fields=None,
++                          labels=None, help_texts=None, error_messages=None,
++                          min_num=None, validate_min=False):
++    """
++    Returns an ``InlineFormSet`` for the given kwargs.
++
++    You must provide ``fk_name`` if ``model`` has more than one ``ForeignKey``
++    to ``parent_model``.
++    """
++    fk = _get_foreign_key(parent_model, model, fk_name=fk_name)
++    # enforce a max_num=1 when the foreign key to the parent model is unique.
++    if fk.unique:
++        max_num = 1
++    kwargs = {
++        'form': form,
++        'formfield_callback': formfield_callback,
++        'formset': formset,
++        'extra': extra,
++        'can_delete': can_delete,
++        'can_order': can_order,
++        'fields': fields,
++        'exclude': exclude,
++        'min_num': min_num,
++        'max_num': max_num,
++        'widgets': widgets,
++        'validate_min': validate_min,
++        'validate_max': validate_max,
++        'localized_fields': localized_fields,
++        'labels': labels,
++        'help_texts': help_texts,
++        'error_messages': error_messages,
++    }
++    FormSet = modelformset_factory(model, **kwargs)
++    FormSet.fk = fk
++    return FormSet
++
++
++# Fields #####################################################################
++
++class InlineForeignKeyField(Field):
++    """
++    A basic integer field that deals with validating the given value to a
++    given parent instance in an inline.
++    """
++    widget = HiddenInput
++    default_error_messages = {
++        'invalid_choice': _('The inline foreign key did not match the parent instance primary key.'),
++    }
++
++    def __init__(self, parent_instance, *args, **kwargs):
++        self.parent_instance = parent_instance
++        self.pk_field = kwargs.pop("pk_field", False)
++        self.to_field = kwargs.pop("to_field", None)
++        if self.parent_instance is not None:
++            if self.to_field:
++                kwargs["initial"] = getattr(self.parent_instance, self.to_field)
++            else:
++                kwargs["initial"] = self.parent_instance.pk
++        kwargs["required"] = False
++        super(InlineForeignKeyField, self).__init__(*args, **kwargs)
++
++    def clean(self, value):
++        if value in self.empty_values:
++            if self.pk_field:
++                return None
++            # if there is no value act as we did before.
++            return self.parent_instance
++        # ensure the we compare the values as equal types.
++        if self.to_field:
++            orig = getattr(self.parent_instance, self.to_field)
++        else:
++            orig = self.parent_instance.pk
++        if force_text(value) != force_text(orig):
++            raise ValidationError(self.error_messages['invalid_choice'], code='invalid_choice')
++        return self.parent_instance
++
++    def _has_changed(self, initial, data):
++        return False
++
++
++class ModelChoiceIterator(object):
++    def __init__(self, field):
++        self.field = field
++        self.queryset = field.queryset
++
++    def __iter__(self):
++        if self.field.empty_label is not None:
++            yield ("", self.field.empty_label)
++        if self.field.cache_choices:
++            if self.field.choice_cache is None:
++                self.field.choice_cache = [
++                    self.choice(obj) for obj in self.queryset.all()
++                ]
++            for choice in self.field.choice_cache:
++                yield choice
++        else:
++            for obj in self.queryset.all():
++                yield self.choice(obj)
++
++    def __len__(self):
++        return (len(self.queryset) +
++            (1 if self.field.empty_label is not None else 0))
++
++    def choice(self, obj):
++        return (self.field.prepare_value(obj), self.field.label_from_instance(obj))
++
++
++class ModelChoiceField(ChoiceField):
++    """A ChoiceField whose choices are a model QuerySet."""
++    # This class is a subclass of ChoiceField for purity, but it doesn't
++    # actually use any of ChoiceField's implementation.
++    default_error_messages = {
++        'invalid_choice': _('Select a valid choice. That choice is not one of'
++                            ' the available choices.'),
++    }
++
++    def __init__(self, queryset, empty_label="---------", cache_choices=False,
++                 required=True, widget=None, label=None, initial=None,
++                 help_text='', to_field_name=None, limit_choices_to=None,
++                 *args, **kwargs):
++        if required and (initial is not None):
++            self.empty_label = None
++        else:
++            self.empty_label = empty_label
++        self.cache_choices = cache_choices
++
++        # Call Field instead of ChoiceField __init__() because we don't need
++        # ChoiceField.__init__().
++        Field.__init__(self, required, widget, label, initial, help_text,
++                       *args, **kwargs)
++        self.queryset = queryset
++        self.limit_choices_to = limit_choices_to   # limit the queryset later.
++        self.choice_cache = None
++        self.to_field_name = to_field_name
++
++    def __deepcopy__(self, memo):
++        result = super(ChoiceField, self).__deepcopy__(memo)
++        # Need to force a new ModelChoiceIterator to be created, bug #11183
++        result.queryset = result.queryset
++        return result
++
++    def _get_queryset(self):
++        return self._queryset
++
++    def _set_queryset(self, queryset):
++        self._queryset = queryset
++        self.widget.choices = self.choices
++
++    queryset = property(_get_queryset, _set_queryset)
++
++    # this method will be used to create object labels by the QuerySetIterator.
++    # Override it to customize the label.
++    def label_from_instance(self, obj):
++        """
++        This method is used to convert objects into strings; it's used to
++        generate the labels for the choices presented by this object. Subclasses
++        can override this method to customize the display of the choices.
++        """
++        return smart_text(obj)
++
++    def _get_choices(self):
++        # If self._choices is set, then somebody must have manually set
++        # the property self.choices. In this case, just return self._choices.
++        if hasattr(self, '_choices'):
++            return self._choices
++
++        # Otherwise, execute the QuerySet in self.queryset to determine the
++        # choices dynamically. Return a fresh ModelChoiceIterator that has not been
++        # consumed. Note that we're instantiating a new ModelChoiceIterator *each*
++        # time _get_choices() is called (and, thus, each time self.choices is
++        # accessed) so that we can ensure the QuerySet has not been consumed. This
++        # construct might look complicated but it allows for lazy evaluation of
++        # the queryset.
++        return ModelChoiceIterator(self)
++
++    choices = property(_get_choices, ChoiceField._set_choices)
++
++    def prepare_value(self, value):
++        if hasattr(value, '_meta'):
++            if self.to_field_name:
++                return value.serializable_value(self.to_field_name)
++            else:
++                return value.pk
++        return super(ModelChoiceField, self).prepare_value(value)
++
++    def to_python(self, value):
++        if value in self.empty_values:
++            return None
++        try:
++            key = self.to_field_name or 'pk'
++            value = self.queryset.get(**{key: value})
++        except (ValueError, self.queryset.model.DoesNotExist):
++            raise ValidationError(self.error_messages['invalid_choice'], code='invalid_choice')
++        return value
++
++    def validate(self, value):
++        return Field.validate(self, value)
++
++    def _has_changed(self, initial, data):
++        initial_value = initial if initial is not None else ''
++        data_value = data if data is not None else ''
++        return force_text(self.prepare_value(initial_value)) != force_text(data_value)
++
++
++class ModelMultipleChoiceField(ModelChoiceField):
++    """A MultipleChoiceField whose choices are a model QuerySet."""
++    widget = SelectMultiple
++    hidden_widget = MultipleHiddenInput
++    default_error_messages = {
++        'list': _('Enter a list of values.'),
++        'invalid_choice': _('Select a valid choice. %(value)s is not one of the'
++                            ' available choices.'),
++        'invalid_pk_value': _('"%(pk)s" is not a valid value for a primary key.')
++    }
++
++    def __init__(self, queryset, cache_choices=False, required=True,
++                 widget=None, label=None, initial=None,
++                 help_text='', *args, **kwargs):
++        super(ModelMultipleChoiceField, self).__init__(queryset, None,
++            cache_choices, required, widget, label, initial, help_text,
++            *args, **kwargs)
++        # Remove this in Django 1.8
++        if isinstance(self.widget, SelectMultiple) and not isinstance(self.widget, CheckboxSelectMultiple):
++            msg = _('Hold down "Control", or "Command" on a Mac, to select more than one.')
++            self.help_text = string_concat(self.help_text, ' ', msg)
++
++    def to_python(self, value):
++        if not value:
++            return []
++        to_py = super(ModelMultipleChoiceField, self).to_python
++        return [to_py(val) for val in value]
++
++    def clean(self, value):
++        if self.required and not value:
++            raise ValidationError(self.error_messages['required'], code='required')
++        elif not self.required and not value:
++            return self.queryset.none()
++        if not isinstance(value, (list, tuple)):
++            raise ValidationError(self.error_messages['list'], code='list')
++        key = self.to_field_name or 'pk'
++        for pk in value:
++            try:
++                self.queryset.filter(**{key: pk})
++            except ValueError:
++                raise ValidationError(
++                    self.error_messages['invalid_pk_value'],
++                    code='invalid_pk_value',
++                    params={'pk': pk},
++                )
++        qs = self.queryset.filter(**{'%s__in' % key: value})
++        pks = set(force_text(getattr(o, key)) for o in qs)
++        for val in value:
++            if force_text(val) not in pks:
++                raise ValidationError(
++                    self.error_messages['invalid_choice'],
++                    code='invalid_choice',
++                    params={'value': val},
++                )
++        # Since this overrides the inherited ModelChoiceField.clean
++        # we run custom validators here
++        self.run_validators(value)
++        return qs
++
++    def prepare_value(self, value):
++        if (hasattr(value, '__iter__') and
++                not isinstance(value, six.text_type) and
++                not hasattr(value, '_meta')):
++            return [super(ModelMultipleChoiceField, self).prepare_value(v) for v in value]
++        return super(ModelMultipleChoiceField, self).prepare_value(value)
++
++    def _has_changed(self, initial, data):
++        if initial is None:
++            initial = []
++        if data is None:
++            data = []
++        if len(initial) != len(data):
++            return True
++        initial_set = set(force_text(value) for value in self.prepare_value(initial))
++        data_set = set(force_text(value) for value in data)
++        return data_set != initial_set
++
++
++def modelform_defines_fields(form_class):
++    return (form_class is not None and (
++            hasattr(form_class, '_meta') and
++            (form_class._meta.fields is not None or
++             form_class._meta.exclude is not None)
++            ))
+--- python-django-1.7.1.orig/docs/spelling_wordlist
++++ python-django-1.7.1/docs/spelling_wordlist
+@@ -134,6 +134,7 @@ dbshell
+ de
+ deconstruct
+ deconstructing
++deduplicates
+ deepcopy
+ deserialization
+ deserialize
+--- python-django-1.7.1.orig/tests/model_forms/tests.py
++++ python-django-1.7.1/tests/model_forms/tests.py
+@@ -1573,6 +1573,27 @@ class ModelMultipleChoiceFieldTests(Test
+         self.assertTrue(form.is_valid())
+         self.assertTrue(form.has_changed())
+ 
++    def test_show_hidden_initial_changed_queries_efficiently(self):
++        class WriterForm(forms.Form):
++            persons = forms.ModelMultipleChoiceField(
++                show_hidden_initial=True, queryset=Writer.objects.all())
++
++        writers = (Writer.objects.create(name=str(x)) for x in range(0, 50))
++        writer_pks = tuple(x.pk for x in writers)
++        form = WriterForm(data={'initial-persons': writer_pks})
++        with self.assertNumQueries(1):
++            self.assertTrue(form.has_changed())
++
++    def test_clean_does_deduplicate_values(self):
++        class WriterForm(forms.Form):
++            persons = forms.ModelMultipleChoiceField(queryset=Writer.objects.all())
++
++        person1 = Writer.objects.create(name="Person 1")
++        form = WriterForm(data={})
++        queryset = form.fields['persons'].clean([str(person1.pk)] * 50)
++        sql, params = queryset.query.sql_with_params()
++        self.assertEqual(len(params), 1)
++
+ 
+ class ModelOneToOneFieldTests(TestCase):
+     def test_modelform_onetoonefield(self):
diff -Nru python-django-1.7.1/debian/patches/series python-django-1.7.1/debian/patches/series
--- python-django-1.7.1/debian/patches/series	2014-10-27 15:57:12.000000000 +0000
+++ python-django-1.7.1/debian/patches/series	2015-01-16 23:19:17.000000000 +0000
@@ -1,3 +1,7 @@
 02_disable-sources-in-sphinxdoc.diff
 03_manpage.diff
 06_use_debian_geoip_database_as_default.diff
+header-underscore.diff
+leading-whitespace-is_safe_url.diff
+longline.diff
+model-multiple-choice.diff

Reply via email to