On 10-09-11 00:15, Tobias wrote:
This is probably an overly simplistic implementation, but would
something like this work, more broadly covering Jacob's concerns in
the ticket about template authors being able to shoot themselves in
the foot? It seems less effective to mark all required methods with
alters_data, as this method also wouldn't prevent get(), post(), etc.
from being called in subclassed views (which could potentially
generate recursive loops).
https://github.com/tobiasmcnulty/django/compare/master...ticket-16744
It is already more elaborate than what I'm using locally now :-) I don't
have a proxy object in my own views. Seems like a good idea, though.
Addition: disallow attributes/methods starting with an underscore?
That's a handy way to stow away dangerous methods should you have them
in your view.
The only way I can see yourself shooting in the foot is when you have a
form view that reacts to get() and post(). Upon "get()", the template
*could* call data-modifying methods on the class.
Reinout
--
Reinout van Rees http://reinout.vanrees.org/
rein...@vanrees.org http://www.nelen-schuurmans.nl/
"If you're not sure what to do, make something. -- Paul Graham"
--
You received this message because you are subscribed to the Google Groups "Django
developers" group.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-developers?hl=en.
