RepoJournal
Django

@django

Python's batteries-included web framework

Pick a date

Topics: Python Full archive →

The Wire · Showcase

DJANGO TIGHTENS SECURITY ON FUNDRAISING, SHIPS DARK MODE FOR ERROR PAGES

By RepoJournal · Filed · About Django

The Django project fixed a critical authentication bypass in its fundraising app that allowed unauthenticated donors to update other users' payment methods.

The djangoproject.com team patched an unprotected endpoint in the fundraising app [1] where the `update_card()` function accepted a bare donation ID from POST requests with zero authorization checks. An attacker could update any donor's card by guessing or scraping donation IDs. The fix now requires the donor's hero token and scopes the lookup through the authenticated user's donation set, matching patterns already used correctly elsewhere in the codebase. Meanwhile, Django core shipped dark mode support for technical 404 and 500 error pages [2], completing work on ticket #35875 with CSS overrides for the prefers-color-scheme media query. The team also added gettext installation to GitHub Actions workflows [3] to prevent skipped i18n extraction tests. On the documentation front, Django added GeneratedField examples to the PostgreSQL search reference [4] and made the Django Core Developers page discoverable by adding sitemap entries and a route name [5].

Action items

References

  1. [1] Fixed unauthenticated cross-donor card update in fundraising app. django/djangoproject.com
  2. [2] Fixed #35875 -- Added dark mode support to technical 404 and 500 error views. ↗ django/django
  3. [3] Added step to install gettext in Github Actions workflows. ↗ django/django
  4. [4] Fixed #37219 -- Added GeneratedField example to PostgreSQL search reference. django/django
  5. [5] Fixed #2714 -- Made the Django Core Developers page discoverable. (#2715) django/djangoproject.com

Quick answers

What shipped in Django on July 18, 2026?
The Django project fixed a critical authentication bypass in its fundraising app that allowed unauthenticated donors to update other users' payment methods. In total, 9 commits and 10 pull requests landed.
Who contributed to Django on July 18, 2026?
5 developers shipped this update, including harveybellini, jacobtylerwalls, Carlton Gibson, Natalia, and Sergey Fedoseev.
What were the notable Django updates?
Fixed unauthenticated cross-donor card update in fundraising app, Fixed #35875 -- Added dark mode support to technical 404 and 500 error views, and Added step to install gettext in Github Actions workflows.

More from @django

Daily updates, in your inbox

Follow Django

Python's batteries-included web framework We'll email you a link to confirm first.

Free. Confirm via email. Unsubscribe in one click.

— or follow the whole beat:

Elsewhere on the wire