Agree this is not an appropriate default, although I could see an argument for supporting __all__ like in forms. This isn't very hard as a third party solution though so I'm not super keen on that idea.
M On 15 Jun 2015 22:03, "Shai Berger" <[email protected]> wrote: > (I received the message I'm replying to here with an empty subject, and > detached from the thread. Google Groups being funny?) > > On Monday 15 June 2015 22:52:09 Rick van Hattem wrote: > > On 15 June 2015 at 21:34, Florian Apolloner <[email protected]> > wrote: > > > On Monday, June 15, 2015 at 7:07:38 PM UTC+2, Rick van Hattem (wolph) > > > > > > wrote: > > >> Would anyone oppose a pull request like this? > > > > > > Yes, it is highly backwards incompatible for not much gain, I am also > > > usually just fine with one/two fields for list_display. You could just > > > use your own admin subclass for that. > > > > Can you clarify on that? I don't see the backwards incompatibility here. > > > > It could quite easily cause breakage for specific client-side code, > although I > wouldn't consider that "highly" incompatible. > > However, it could also easily lead to inappropriate data exposure -- where > people who are supposed to get an "opaque" view of some objects will, upon > upgrade, be able to see all their details. I consider that risk to weigh > much > more than the potential gains. > > > > The discussion here shouldn't be whether you can or cannot fix it > yourself > > (obviously, you can, that's not the issue), it's what a good/sane default > > would be. For brand new Django users, would it be more convenient to > have 1 > > column or just all local columns and make it slightly more usable? > > > Beside "convenient", you should also consider "safe", and besides brand new > users, there are also established users with significant codebases. Now, > arguably, if we were starting the Django project today, we could use the > default you propose, people would be aware of it, and if they wanted to > limit > access, they would. One could still argue that "whitelisting" is better > than > "blacklisting", and we could have a whole discussion about this. But > having a > Django upgrade just expose more data by default, even in the Admin, would > be a > serious breach of our users' trust IMO. > > Shai. > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAMwjO1HhkaHEGL%2BQaPc3_43%3DBJP84%2B-4XZMVs%3DK%2Bx8u6Q7c_Ow%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
