I certainly like the idea of making public the API to load your tag lib by default for your project. It's there, it's clean, and it's been stable for a looong time. Of course, the multi-template-engine work may change this.
Also, I agree that "explicit is better than implicit", and thus reducing the number of places Django "discovers" things, instead of being instructed where to look, is probably a good idea. -- Curtis On 27 December 2014 at 10:18, Shai Berger <s...@platonix.com> wrote: > On Wednesday 24 December 2014 20:35:09 Tim Graham wrote: > > I was hoping to get clarification on what security model we intend to > > support for template authors. In ticket #12772 > > <https://code.djangoproject.com/ticket/12772> it's proposed to allow > > loading template tags using a dotted Python path. This would allow > template > > authors to trigger imports of anything on the Python path. I am not sure > > the requirement to add a template tag library to INSTALLED_APPS is a big > > burden these days (e.g. there is no more need to create an empty > models.py > > file), but perhaps I don't fully understand the ticket's rationale for > > proposing these changes. > > In addition to what Curtis and Florian said, the ticket was made before the > default-project-layout change that made project-apps common; since Django > 1.4 > (or was it 1.3?) those have been a natural place for "common tags [to] be > kept > together". > > Reading also the ticket, I agree with Carl's argument that the libraries > available for loading should be explicitly controlled from Python code. In > fact, this point makes me wonder if it wouldn't be better (ignoring > backwards > compatibility, of course) to require custom tags to be passed in through > the > context ("project-global" custom tags could then be added in a context- > processor). > > Shai. > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAG_XiSDg_%2Bm-wnFqf_YDKtZub5q8hkX2WtCu26zh4QKYVBspxw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
