[Django] #35108: Have SingleObjectMixin.get_object handle ValidationError/ValueError

[Django]

#35108: Have SingleObjectMixin.get_object handle ValidationError/ValueError
-----------------------------------------+------------------------
               Reporter:  Alex Tomkins   |          Owner:  nobody
                   Type:  Uncategorized  |         Status:  new
              Component:  Generic views  |        Version:  5.0
               Severity:  Normal         |       Keywords:
           Triage Stage:  Unreviewed     |      Has patch:  0
    Needs documentation:  0              |    Needs tests:  0
Patch needs improvement:  0              |  Easy pickings:  0
                  UI/UX:  0              |
-----------------------------------------+------------------------
 Vaguely related ticket from 10 years ago(!) - #22303

 Currently `get_object` in the Django admin handles
 ValidationError/ValueError
 
https://github.com/django/django/blob/6e520d953773d25a3d3484db67feed446aca0bc1/django/contrib/admin/options.py#L896.
 This is needed as the URL patterns for the Django admin are fairly relaxed
 to handle objects where the ID/PK isn't an integer. However in the
 scenario where a model does have a PK as an integer - this try/except
 quietly turns invalid URLs (eg. a string into an integer field) into a
 404.

 I think the immediate thought for most people would be along the lines of:
 fix your URLs to restrict/validate inputs.

 However, if you've got a Django app that provides views/URLs for editing
 users, you have to make the URL patterns fairly relaxed to allow for
 multiple scenarios - one where a project stays with PK being an integer,
 and the other where a project has PK being a string. An example of this is
 Wagtail:

 {{{
 /admin/users/   wagtail.users.views.users.Index wagtailusers_users:index
 /admin/users/<str:pk>/  wagtail.users.views.users.Edit
 wagtailusers_users:edit
 /admin/users/<str:pk>/delete/   wagtail.users.views.users.Delete
 wagtailusers_users:delete
 }}}

 Unless you wrap every view with a try/except in get_object, it's fairly
 easy to generate 500 errors (just visit /admin/users/hello/).

 Should `get_object` handle these?

 Should the functions in `django.shortcuts` also handle these?

-- 
Ticket URL: <https://code.djangoproject.com/ticket/35108>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/0107018cfe593c05-c096d3b6-6847-485e-b28b-b5174098ab7b-000000%40eu-central-1.amazonses.com.