On Mon, Sep 12, 2011 at 2:10 PM, Reinout van Rees <rein...@vanrees.org>wrote:
> On 12-09-11 18:25, Florian Apolloner wrote: > >> On Monday, September 12, 2011 5:39:03 PM UTC+2, Reinout van Rees wrote: >> >> Addition: disallow attributes/methods starting with an underscore? >> >> That's a handy way to stow away dangerous methods should you have them >> in your view. >> >> That's already the case for resolving variables in templates, I don't >> think we need any specialcasing here. >> >> > The only way I can see yourself shooting in the foot is >> when you have a >> > form view that reacts to get() and post(). Upon "get()", >> the template >> >> > *could* call data-modifying methods on the class. >> >> >> Not easily, since the templates can only call methods which don't >> require extra params, get/post do take request at least. >> > > I love it when problems solve themselves :-) That's a good point. Are there *any* methods in the CBVs that don't take arguments, that also modify data? The only one that I found in the list I'd initially proposed that can be called without arguments is as_view(), and I'm not sure that really even needs protection. Maybe there's no need to protect anything with alters_data / proxying? That would certainly be the simplest, and would eliminate the possibility that someone will later ask for us to expose a certain method or attribute that we thought it best to hide now. Tobias -- Tobias McNulty, Managing Member Caktus Consulting Group, LLC http://www.caktusgroup.com -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.