Re: about ticket 28588- has_perm hide non-existent permissions

[Curtis Maloney]

On 09/25/2017 08:56 PM, Dan Watson wrote:
Seems like maybe it would be more helpful if has_perm logged a note 
about the permission not existing (probably only in debug), rather than 
just returning False. In fact, I'd argue it should still return True -- 
if the permission did exist, the superuser would have it. And there's a 
backwards-compatibility argument. Think of superusers more as 
"permissions don't apply to me" than "I have all permissions".


I agree with the logging... however, I think has_perm should always 
return False for non-existent permissions.  This will mean any 
half-decent level of testing will uncover a typo in a permission name, 
since you will never trigger the True state.


This would also be an argument for is_superuser to equate to "has all 
the perms" instead of "has_perm always says true".


--
Curtis




Dan


--
You received this message because you are subscribed to the Google Groups "Django 
developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/ee6d4c13-97c8-09b5-49dd-b92bbab15616%40tinbrain.net.
For more options, visit https://groups.google.com/d/optout.

Re: Templates: __html__ method support

[Jonas Haag]

> Am 26.09.2017 um 22:50 schrieb Aymeric Augustin 
> :
> 
> Hello,
> 
> This could be a regression because 
> https://github.com/django/django/commit/3483682749577b4b5a8141a766489d5b460e30e9
>  
> 
>  looks like it implemented that behavior;

The patch doesn’t implement that behaviour, as can be seen here: 
https://github.com/django/django/commit/3483682749577b4b5a8141a766489d5b460e30e9#diff-8cbe1fb6d589cb6e35b956704d7a1285L881
 

 It still force_text’s everything.

Looks like this has indeed never been implemented in Django. Maybe as on 
oversight from the original suggestion by Armin, or maybe on purpose (why 
though?)?

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/ABB4EC7A-8EBE-4562-8927-DE0A1EA2AA9E%40lophus.org.
For more options, visit https://groups.google.com/d/optout.

Re: Templates: __html__ method support

[Jonas Haag]

> Aymeric Augustin:
> 
>> On 26 Sep 2017, at 22:56, Jonas Haag > > wrote:
>> 
>> Without having had a look at any of the links you’ve posted, this does NOT 
>> work in Jinja2 the way I suggested:
>> 
>> >>> jinja2.Template('{{foo}}').render({'foo': Money('1', '$')})
>> '$ 1'
>> 
>> So whatever the changes for better __html__ interoperability were, they seem 
>> unrelated to what I’m suggesting.
> 
> 
> That's because Jinja2 priorizes speed over security and disables autoescaping 
> by default. To trigger __html__, you need to enable it.

I see, thanks for pointing this out!

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/FB1E71B7-80D9-46AA-86A7-F8EC68D44684%40lophus.org.
For more options, visit https://groups.google.com/d/optout.

Re: Templates: __html__ method support

[Aymeric Augustin]

And the test case for Django templates is:

>>> class Money:
... def __init__(self, amount, currency):
... self.amount = amount
... self.currency = currency
... def __str__(self):
... return 'str %s %s' % (self.currency, self.amount)
... def __html__(self):
... # Always show amount and currency on same line
... return 'html %s %s' % (self.currency, self.amount)
...
>>> from django.template import Context, Engine
>>> Engine().from_string('{{foo}}').render(Context({'foo': Money('1', '$')}))
'str $ 1'

This should return 'html $ 1'.

-- 
Aymeric.

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/937826E3-338A-411D-A260-26BA6D3EA0F4%40polytechnique.org.
For more options, visit https://groups.google.com/d/optout.

Re: Templates: __html__ method support

[Aymeric Augustin]

> On 26 Sep 2017, at 22:56, Jonas Haag  wrote:
> 
> Without having had a look at any of the links you’ve posted, this does NOT 
> work in Jinja2 the way I suggested:
> 
> >>> jinja2.Template('{{foo}}').render({'foo': Money('1', '$')})
> '$ 1'
> 
> So whatever the changes for better __html__ interoperability were, they seem 
> unrelated to what I’m suggesting.


That's because Jinja2 priorizes speed over security and disables autoescaping 
by default. To trigger __html__, you need to enable it.

Slightly adapted example:

>>> class Money:
... def __init__(self, amount, currency):
... self.amount = amount
... self.currency = currency
... def __str__(self):
... return 'str %s %s' % (self.currency, self.amount)
... def __html__(self):
... # Always show amount and currency on same line
... return 'html %s %s' % (self.currency, self.amount)
...
>>> import jinja2
>>> jinja2.Template('{{foo}}', autoescape=True).render({'foo': Money('1', '$')})
'html $ 1'
>>> jinja2.Template('{{foo}}').render({'foo': Money('1', '$')})
'str $ 1'

-- 
Aymeric.

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/59CCBDEF-0DB7-4E84-A9F9-4D57F1544A77%40polytechnique.org.
For more options, visit https://groups.google.com/d/optout.

Re: Templates: __html__ method support

[Jonas Haag]

> Aymeric Augustin:
> This could be a regression

Without having had a look at any of the links you’ve posted, this does NOT work 
in Jinja2 the way I suggested:

>>> jinja2.Template('{{foo}}').render({'foo': Money('1', '$')})
'$ 1'

So whatever the changes for better __html__ interoperability were, they seem 
unrelated to what I’m suggesting.

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/A1BE33F9-0E6F-4935-87ED-832DAB8D3A75%40lophus.org.
For more options, visit https://groups.google.com/d/optout.

Re: Templates: __html__ method support

[Aymeric Augustin]

On 26 Sep 2017, at 22:18, Brice Parent  wrote:
> Only question: Where should it stop? Should there also be a __json__, a 
> __yaml__ and an __xml__ methods?


Hello,

__html__ is a fairly well established convention in the Python community, 
pioneered by Armin Ronacher around 2006 (give or take a couple years).

He first suggested Django supported it just over ten years ago: 
https://groups.google.com/d/msg/django-developers/IGsLpBwiKbc/4WeewXq2d1oJ 


I'm not aware of any other conventional dunder method with such widespread 
adoption.

Best regards,

-- 
Aymeric.



-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/C8A056AC-69A1-4F0A-A669-2CE7EA638B65%40polytechnique.org.
For more options, visit https://groups.google.com/d/optout.

Re: Templates: __html__ method support

[Aymeric Augustin]

Hello,

This could be a regression because 
https://github.com/django/django/commit/3483682749577b4b5a8141a766489d5b460e30e9
 

 looks like it implemented that behavior; unfortunately but didn't include a 
test for the template engine, only for the escaping APIs.

(If it's indeed a regression and someone feels like bisecting it, I'm taking 
bets on the multiple template engines patch I landed in 1.8...)

Looking at https://code.djangoproject.com/ticket/23831 
 and 
https://code.djangoproject.com/ticket/7261 
, the intent was to provide full 
interoperability between Django and HTML escaping implementations that support 
on __html__; there was no exception for the template engine.

If someone wants to write a patch with a test, the least I can do is review it 
:-)

Best regards,

-- 
Aymeric.



> On 26 Sep 2017, at 14:34, Jonas H  wrote:
> 
> Proposal: Support the __html__ method as an alternative/addition to the 
> __str__ for turning objects into strings in the template layer.
> 
> If this has been discussed before, please point me to it; I couldn't find 
> anything with the search function.
> 
> Some custom classes may have, in addition to a __str__ representation, a 
> natural representation that is better suited for HTML output. Example:
> 
> class Money:
> def __init__(self, amount, currency):
> self.amount = amount
> self.currency = currency
> 
> def __str__(self):
> return '%s %s' % (self.currency, self.amount)
> 
> def __html__(self):
> # Always show amount and currency on same line
> return '%s\xa0%s' % (self.currency, self.amount)
> 
> `conditional_escape` and friends already consider the __html__ method, and 
> this works out well:
> 
> >>> str(Money(1, '$'))
> '$ 1'
> >>> conditional_escape(Money(1, '$'))
> '$\xa01'
> 
> In templates however it doesn't work that way because variables are always 
> turned into strings before stuffing them into `conditional_escape` (see 
> https://github.com/django/django/blob/98706bb35e7de0e445cc336f669919047bf46b75/django/template/base.py#L977).
>  My suggestion is to change the behaviour of that function so that it works 
> as follows:
> 
> - Given I write {{ foo }}
> - Does foo have a __html__ method? If yes, return `foo.__html__()`
> - Otherwise, return `conditional_escape(str(foo))`
> 
> Do think that's a good idea?
> 
> Jonas
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to django-developers+unsubscr...@googlegroups.com 
> .
> To post to this group, send email to django-developers@googlegroups.com 
> .
> Visit this group at https://groups.google.com/group/django-developers 
> .
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/django-developers/ea088de2-e538-4808-a7fd-8726929e2b91%40googlegroups.com
>  
> .
> For more options, visit https://groups.google.com/d/optout 
> .

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/43625211-C1EF-41C1-A518-A42A1979C5F0%40polytechnique.org.
For more options, visit https://groups.google.com/d/optout.

Re: Templates: __html__ method support

[Tom Forbes]

The problem with something more complex like yaml or json is it's not easy
to combine the output. If those methods return a string, as in actual json,
it's not easy to do anything with them (like combine them into an array or
another object). YAML is also whitespace sensitive. If they return a dict
or some python object that can be combined and serialised as a whole, then
that's kind of confusing and could be more generic.

XML and HTML don't suffer as much from this I think.

On 26 Sep 2017 21:18, "Brice Parent"  wrote:

> I like the idea a lot. But wouldn't it be better to have it as a separate
> library? It seems to be something that could be quite common, and have many
> use cases both inside and outside Django (we could sometimes benefit from
> having an html exception message for example).
>
> And I guess that would mean we should also have an html() function which
> would call .__html__() if it exists, and fallback to .__str__() if not.
>
> Django's template would call this html() function in its templates, while
> models and other objects could just declare this __html__() method.
>
> And if it gets adopted by more than just Django, it could be integrated
> into the standard Python library and benefit to many more projects.
>
> Only question: Where should it stop? Should there also be a __json__, a
> __yaml__ and an __xml__ methods? Those are also quite common
> representations we could want from a class, even more nowadays that a big
> tendency is to develop microservices which communicate through APIs, and
> frontends being more and more delegated to javascript libraries.
>
> Le 26/09/17 à 14:34, Jonas H a écrit :
>
> Proposal: Support the __html__ method as an alternative/addition to the
> __str__ for turning objects into strings in the template layer.
>
> If this has been discussed before, please point me to it; I couldn't find
> anything with the search function.
>
> Some custom classes may have, in addition to a __str__ representation, a
> natural representation that is better suited for HTML output. Example:
>
> class Money:
> def __init__(self, amount, currency):
> self.amount = amount
> self.currency = currency
>
> def __str__(self):
> return '%s %s' % (self.currency, self.amount)
>
> def __html__(self):
> # Always show amount and currency on same line
> return '%s\xa0%s' % (self.currency, self.amount)
>
> `conditional_escape` and friends already consider the __html__ method, and
> this works out well:
>
> >>> str(Money(1, '$'))
> '$ 1'
> >>> conditional_escape(Money(1, '$'))
> '$\xa01'
>
> In templates however it doesn't work that way because variables are always
> turned into strings before stuffing them into `conditional_escape` (see
> https://github.com/django/django/blob/98706bb35e7de0e445cc336f669919
> 047bf46b75/django/template/base.py#L977). My suggestion is to change the
> behaviour of that function so that it works as follows:
>
> - Given I write {{ foo }}
> - Does foo have a __html__ method? If yes, return `foo.__html__()`
> - Otherwise, return `conditional_escape(str(foo))`
>
> Do think that's a good idea?
>
> Jonas
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To post to this group, send email to django-developers@googlegroups.com.
> Visit this group at https://groups.google.com/group/django-developers.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/django-developers/ea088de2-e538-4808-a7fd-
> 8726929e2b91%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To post to this group, send email to django-developers@googlegroups.com.
> Visit this group at https://groups.google.com/group/django-developers.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/django-developers/b3d37420-052d-74a2-5a39-e10d4c180f17%40brice.xyz
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegrou

Re: Templates: __html__ method support

[Jonas Haag]

> Collin Anderson:
> I think this is a good idea. Django has used __html__ internally for the last 
> 4 years so it's not something new [0]. I'm surprised this doesn't work 
> out-of-the box.


I too expected this to work already, and I was surprised to find it doesn’t. 
Hence this thread. (It also surprises me that this hasn’t been discussed on 
this list before, to be honest.)

> Brice Parent:
> I like the idea a lot. But wouldn't it be better to have it as a separate 
> library? It seems to be something that could be quite common, and have many 
> use cases both inside and outside Django (we could sometimes benefit from 
> having an html exception message for example). 
> 

As you have correctly observed this can’t live in a separate library entirely 
as it requires integration into the template language to be useful:
> Django's template would call this html() function in its templates, while 
> models and other objects could just declare this __html__() method.

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/99A37EDD-250A-45D3-A1FF-F4E429B5EFB5%40lophus.org.
For more options, visit https://groups.google.com/d/optout.

Re: Templates: __html__ method support

[Collin Anderson]

I think this is a good idea. Django has used __html__ internally for the
last 4 years so it's not something new [0]. I'm surprised this doesn't work
out-of-the box.

[0] https://code.djangoproject.com/ticket/7261

On Tue, Sep 26, 2017 at 9:26 AM, George-Cristian Bîrzan 
wrote:

> On Tuesday, September 26, 2017 at 3:34:29 PM UTC+3, Jonas H wrote:
>>
>> Proposal: Support the __html__ method as an alternative/addition to the
>> __str__ for turning objects into strings in the template layer.
>>
>>
> Dunder methods' names shouldn't be invented, so a better name is needed.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To post to this group, send email to django-developers@googlegroups.com.
> Visit this group at https://groups.google.com/group/django-developers.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/django-developers/16f056c0-0ed8-424f-ae9e-
> 9ab7a7bf66cb%40googlegroups.com
> 
> .
>
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CAFO84S6Wx8APyAtTH1Z-p_YJi%3DFYkLUqWq2tdrtbevzJAiqndQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Templates: __html__ method support

[George-Cristian Bîrzan]

On Tuesday, September 26, 2017 at 3:34:29 PM UTC+3, Jonas H wrote:
>
> Proposal: Support the __html__ method as an alternative/addition to the 
> __str__ for turning objects into strings in the template layer.
>
>
Dunder methods' names shouldn't be invented, so a better name is needed.

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/16f056c0-0ed8-424f-ae9e-9ab7a7bf66cb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Templates: __html__ method support

[Jonas H]

Proposal: Support the __html__ method as an alternative/addition to the 
__str__ for turning objects into strings in the template layer.

If this has been discussed before, please point me to it; I couldn't find 
anything with the search function.

Some custom classes may have, in addition to a __str__ representation, a 
natural representation that is better suited for HTML output. Example:

class Money:
def __init__(self, amount, currency):
self.amount = amount
self.currency = currency

def __str__(self):
return '%s %s' % (self.currency, self.amount)

def __html__(self):
# Always show amount and currency on same line
return '%s\xa0%s' % (self.currency, self.amount)

`conditional_escape` and friends already consider the __html__ method, and 
this works out well:

>>> str(Money(1, '$'))
'$ 1'
>>> conditional_escape(Money(1, '$'))
'$\xa01'

In templates however it doesn't work that way because variables are always 
turned into strings before stuffing them into `conditional_escape` 
(see 
https://github.com/django/django/blob/98706bb35e7de0e445cc336f669919047bf46b75/django/template/base.py#L977).
 
My suggestion is to change the behaviour of that function so that it works 
as follows:

- Given I write {{ foo }}
- Does foo have a __html__ method? If yes, return `foo.__html__()`
- Otherwise, return `conditional_escape(str(foo))`

Do think that's a good idea?

Jonas

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/ea088de2-e538-4808-a7fd-8726929e2b91%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.