On Wed, Oct 15, 2008 at 1:20 PM, Amit Upadhyay <[EMAIL PROTECTED]> wrote: > Question: 1. is the expectation that GET request should only do SELECT > reasonable? 2. if 1, then should django enforce it?
Clarification, enforce is ambiguous: Question2.1. django, core and contrib apps shipped with it, should internally not alter data on GETs, plus recommend third party django apps to not do the same. Question2.2. there be a middleware to enforce this on database level, raise assertion error if request.method == GET and sql.query_type != SELECT, so that I can say with certain confidence it has been done. [creating a sql user with only SELECT permission takes care of this so it is not strictly necessary, but such a middleware will make development easier]. I am not sure how it would work, but i think something like transaction middleware, doing something like django.core.db.only_allow_selects() in process_request if request.method == GET, and reverting in process_response, plus updating the django's db code to honor this. -- Amit Upadhyay Vakow! www.vakow.com +91-9820-295-512 --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---