Le lundi 21 novembre 2016 23:56:56 UTC+1, Tim Graham a écrit : > > When reviewing the patch for the auth class-based view additions, I made > the mistake of assuming that the existing tests would catch this type of > obviously incorrect issue. Perhaps with the function-based views, the code > was "too obviously correct" that a test for token verification on POST > wasn't considered. I'd like to think that future work on the class-based > views would be more careful about testing, especially after we made this > mistake. >
+1 to that, I think this issue essentially demonstrated a weakness in the test suite. More generally and considering the patch entered the master branch soon in the schedule, it would be a shame not being able to make it stable and secure for 1.11. I could understand the delay of the function-based view deprecation, but I would be very disappointed to see that code removed for 1.11. Also notice I don't buy the argument of a "danger of shooting ourselves in the foot". Currently, when people have to customize some part of the current views, they have no choice beside copy-pasting large part of the Django code in their code base. As versions evolve, some parts become stale and could even miss patches for security issues. So for me, by using class-based views and allowing users to only override the precise part of those views which needs to be overriden, the design is globally more secure than the current function-based views. And of course, sorry for being the author of the faulty commit, and thanks to the eagle eyes! Claude -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/6e0c9d43-c6cb-48f3-bf07-8f1ff5ef625c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
