Re: [Django] #17664: {% if %} template tag silences exceptions inconsistently

Thu, 17 Sep 2020 02:55:42 -0700 

#17664: {% if %} template tag silences exceptions inconsistently
-------------------------------------+-------------------------------------
     Reporter:  Tai Lee              |                    Owner:  Robert
                                     |  Roskam
         Type:  Bug                  |                   Status:  assigned
    Component:  Template system      |                  Version:  master
     Severity:  Normal               |               Resolution:
     Keywords:  smart if tag         |             Triage Stage:  Accepted
  queryset exception silenced        |
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by felixxm):

 I totally agree with
 [https://code.djangoproject.com/ticket/17664#comment:27 Carlton]. This is
 a huge change in the current longstanding behavior that would make the DTL
 less user-friendly and would force users to rewrite templates in bulk with
 no benefits. I also don't agree that the current behavior has important
 security implications, even if it's used for permission checks then
 showing sensitive data in `{% else %}` block seems like an unusual
 pattern, moreover to expose sensitive data we need to also make a typo and
 don't have any tests, that's an edge case, which should not force most of
 users to rewrite their templates. In order to work with the DTL's
 behavior, moving such logic up to the view or into a template tag are the
 long established approaches.

 I think we should decide which exceptions should be suppressed
 ([https://code.djangoproject.com/ticket/17664#comment:13 as suggested by
 Colin]). `AttributeError`, `KeyError`, and `IndexError` sound like a good
 starting point.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/17664#comment:29>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.8ad57b04e40432c909ca57fca5b1fa57%40djangoproject.com.

Reply via email to