Re: First Contributio Django

[Richard Dushime]

OKAY LET ME GO THROUGH  THANK YOU 

On Wednesday, January 5, 2022 at 7:47:52 PM UTC+3 Adam Johnson wrote:

> Hi, if you have everything set up, try the first patch tutorial: 
> https://docs.djangoproject.com/en/4.0/intro/contributing/ . This guides 
> you through writing a code change and the respective unit tests. It should 
> clarify the page you've been looking at, which is more of a reference.
>
> On Wed, 5 Jan 2022 at 16:15, Richard Dushime  wrote:
>
>> Greetings  to you All 
>> i am Dushime Mudahera Richard   a learner of python and Django  
>> i would like to  make contribution to Django and on the first step  i 
>> read thye documentation  towards Contributing to Django and i went Ahead 
>> cloned the django repositoryi created the virtualenviroment  and 
>> installed  some of the requirements  and i can run the tests  and i 
>> installed also tox  after running the unit tests i am lost on the way 
>> forward   ,
>> the link is where i got lost  when following the documentation 
>> https://docs.djangoproject.com/en/4.0/internals/contributing/writing-code/unit-tests/
>>   
>>..After  tox  installation   
>>
>> i kindly need a help  from you  if i can get someone to  give me sometime 
>> i will appreciate 
>> Thank you 
>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Django developers (Contributions to Django itself)" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to django-develop...@googlegroups.com.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/django-developers/b4074c6c-5745-47ef-8265-bec7cd3cab0fn%40googlegroups.com
>>  
>> 
>> .
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/932da6b4-ec45-4ec6-a9de-7f9b8b0edeefn%40googlegroups.com.

Re: First Contributio Django

['Adam Johnson' via Django developers (Contributions to Django itself)]

Hi, if you have everything set up, try the first patch tutorial:
https://docs.djangoproject.com/en/4.0/intro/contributing/ . This guides you
through writing a code change and the respective unit tests. It should
clarify the page you've been looking at, which is more of a reference.

On Wed, 5 Jan 2022 at 16:15, Richard Dushime  wrote:

> Greetings  to you All
> i am Dushime Mudahera Richard   a learner of python and Django
> i would like to  make contribution to Django and on the first step  i read
> thye documentation  towards Contributing to Django and i went Ahead cloned
> the django repositoryi created the virtualenviroment  and installed
> some of the requirements  and i can run the tests  and i installed also
> tox  after running the unit tests i am lost on the way forward   ,
> the link is where i got lost  when following the documentation
> https://docs.djangoproject.com/en/4.0/internals/contributing/writing-code/unit-tests/
>..After  tox  installation
>
> i kindly need a help  from you  if i can get someone to  give me sometime
> i will appreciate
> Thank you
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/b4074c6c-5745-47ef-8265-bec7cd3cab0fn%40googlegroups.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CAMyDDM0mPKN7zXYjt-X%2BVaFg2Tx_QUqZ6Lp9nVNXgNmKC-REKA%40mail.gmail.com.

Re: Combining multiple aggregations with annotate()

[charettes]

While addressing the issue is complex and will require quite a bit of work 
to solve in a backward-compatible way I believe that it should be feasible 
to emit a MultipleMultiValuedJoin(RuntimeWarning) with pointers for 
alternatives (e.g. using subqueries) without too much hassle when 
aggregation is performed and more than one multi-valued relationship is 
involved.

The docs you pointed at mention the multiple aggregation problem but a 
similar thing happens when filtering against a multi-valued relationship 
after a single aggregation[0] so the problem can be generalized to any form 
of aggregation on a query that joins more than one multi-valued 
relationship (n-to-many).

Simon

[0] https://code.djangoproject.com/ticket/33403



Le mercredi 5 janvier 2022 à 09:59:24 UTC-5, Yonas a écrit :

> In that case, at least there should be a warning message in the 
> documentation. And what do you think of the example? Isn't it contradicting 
> the documentation?
>
> On Wednesday, January 5, 2022 at 5:16:43 PM UTC+3 niccol...@gmail.com 
> wrote:
>
>> I would be in favor of a real time information about the issue.
>> Il giorno mercoledì 5 gennaio 2022 alle 15:13:17 UTC+1 Yonas ha scritto:
>>
>>> Hello,
>>>
>>> There's a ticket  opened 
>>> 13 years ago explaining a problem with combining multiple aggregations with 
>>> annotate(). And the solution appears to be documenting 
>>> 
>>>  the 
>>> problem.
>>>
>>> But for people skimming through the documentation, the message might not 
>>> be noticeable. Showing the problem in a warning message could help draw 
>>> attention better. It's used here 
>>>  and 
>>> in other places in the doc.
>>>
>>> In addition to documenting the problem, raising an exception might 
>>> prevent developers from spending hours trying to debug their code.
>>>
>>> While the problem is recognized, there's an example  
>>> in
>>>  
>>> the documentation that shows the usage of multiple aggregations.
>>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/80f94136-fc8a-4d74-9e1f-c3da77c22bc1n%40googlegroups.com.

First Contributio Django

[Richard Dushime]

Greetings  to you All 
i am Dushime Mudahera Richard   a learner of python and Django  
i would like to  make contribution to Django and on the first step  i read 
thye documentation  towards Contributing to Django and i went Ahead cloned 
the django repositoryi created the virtualenviroment  and installed  
some of the requirements  and i can run the tests  and i installed also 
tox  after running the unit tests i am lost on the way forward   ,
the link is where i got lost  when following the 
documentation 
https://docs.djangoproject.com/en/4.0/internals/contributing/writing-code/unit-tests/
  
   ..After  tox  installation   

i kindly need a help  from you  if i can get someone to  give me sometime i 
will appreciate 
Thank you 

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/b4074c6c-5745-47ef-8265-bec7cd3cab0fn%40googlegroups.com.

Re: Combining multiple aggregations with annotate()

[Yonas]

In that case, at least there should be a warning message in the 
documentation. And what do you think of the example? Isn't it contradicting 
the documentation?

On Wednesday, January 5, 2022 at 5:16:43 PM UTC+3 niccol...@gmail.com wrote:

> I would be in favor of a real time information about the issue.
> Il giorno mercoledì 5 gennaio 2022 alle 15:13:17 UTC+1 Yonas ha scritto:
>
>> Hello,
>>
>> There's a ticket  opened 13 
>> years ago explaining a problem with combining multiple aggregations with 
>> annotate(). And the solution appears to be documenting 
>> 
>>  the 
>> problem.
>>
>> But for people skimming through the documentation, the message might not 
>> be noticeable. Showing the problem in a warning message could help draw 
>> attention better. It's used here 
>>  and in 
>> other places in the doc.
>>
>> In addition to documenting the problem, raising an exception might 
>> prevent developers from spending hours trying to debug their code.
>>
>> While the problem is recognized, there's an example  
>> in
>>  
>> the documentation that shows the usage of multiple aggregations.
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/4510dfea-a7ba-4281-af9e-ebb190e4b6e1n%40googlegroups.com.

Re: Combining multiple aggregations with annotate()

[Kye Russell]

I haven’t looked at the current warning in a while but I do remember thinking 
that it could be more prominent. 

Kye

> On 5 Jan 2022, at 10:16 pm, Niccolò Mineo  wrote:
> 
> I would be in favor of a real time information about the issue.
> Il giorno mercoledì 5 gennaio 2022 alle 15:13:17 UTC+1 Yonas ha scritto:
>> Hello,
>> 
>> There's a ticket opened 13 years ago explaining a problem with combining 
>> multiple aggregations with annotate(). And the solution appears to be 
>> documenting the problem.
>> 
>> But for people skimming through the documentation, the message might not be 
>> noticeable. Showing the problem in a warning message could help draw 
>> attention better. It's used here and in other places in the doc.
>> 
>> In addition to documenting the problem, raising an exception might prevent 
>> developers from spending hours trying to debug their code.
>> 
>> While the problem is recognized, there's an example in the documentation 
>> that shows the usage of multiple aggregations.
>> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to django-developers+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/django-developers/1e17088d-dd5f-481e-94c7-2b4d2bcfa91dn%40googlegroups.com.

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/8FDCF601-5ECB-430C-BAB4-6BC27F4308F5%40kye.id.au.

Re: Combining multiple aggregations with annotate()

[Niccolò Mineo]

I would be in favor of a real time information about the issue.
Il giorno mercoledì 5 gennaio 2022 alle 15:13:17 UTC+1 Yonas ha scritto:

> Hello,
>
> There's a ticket  opened 13 
> years ago explaining a problem with combining multiple aggregations with 
> annotate(). And the solution appears to be documenting 
> 
>  the 
> problem.
>
> But for people skimming through the documentation, the message might not 
> be noticeable. Showing the problem in a warning message could help draw 
> attention better. It's used here 
>  and in 
> other places in the doc.
>
> In addition to documenting the problem, raising an exception might prevent 
> developers from spending hours trying to debug their code.
>
> While the problem is recognized, there's an example  
> in
>  
> the documentation that shows the usage of multiple aggregations.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/1e17088d-dd5f-481e-94c7-2b4d2bcfa91dn%40googlegroups.com.

Combining multiple aggregations with annotate()

[Yonas]

Hello,

There's a ticket  opened 13 
years ago explaining a problem with combining multiple aggregations with 
annotate(). And the solution appears to be documenting 

 the 
problem.

But for people skimming through the documentation, the message might not be 
noticeable. Showing the problem in a warning message could help draw 
attention better. It's used here 
 and in 
other places in the doc.

In addition to documenting the problem, raising an exception might prevent 
developers from spending hours trying to debug their code.

While the problem is recognized, there's an example  
in
 
the documentation that shows the usage of multiple aggregations.

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/09a8b1df-414e-4dd1-a202-0c6833b50c91n%40googlegroups.com.

Re: Django security releases issued: 4.0.1, 3.2.11, and 2.2.26

[SJ Postmus]

Dear Florian,

Thank you for taking the time to reply to this email.
From: django-developers@googlegroups.com  
on behalf of Florian Apolloner 
Sent: 04 January 2022 16:45
To: Django developers (Contributions to Django itself) 

Subject: Re: Django security releases issued: 4.0.1, 3.2.11, and 2.2.26

Hi,

On Tuesday, January 4, 2022 at 2:09:18 PM UTC+1 Sjoerd Job Postmus wrote:
Unfortunately (at least for us), this breaks the case where dictsort was used 
with a static argument that looked up a callable. A quick code search showed 
that the pattern dictsort.*get​ 
(https://github.com/search?q=%22dictsort.*get%22=Code) is less used than I 
would expect it to be used, but used nonetheless.

I expected as much; literally every security fix nowadays will break some code. 
Sorry about that. You can change it to a property or write your own filter I 
guess.
​Yes, of course. I guess we'll introduce some kind of objsort​ ourselves for 
our usecases by copy/pasting the original dictsort​ implementation.
On the other hand, searching publicly viewable code for cases where dictsort 
gets a dynamic value yields very little results: 
https://grep.app/search?q=dictsort%3A%5B%5E%22%270-9%5D=true=true, 
only one which I can recognize as a Django template: 
https://github.com/crodas/Haanga/blob/develop/tests/assert_templates/regroup.tpl#L3
 .

Yes, that said there is no easy way for a template filter to determine whether 
it is a variable or a literal (I'd say it is simply impossible). Our first 
approach would have been to limit only those values provided via variables… I 
do not think that is possible in a nice way though and probably to much for a 
security patch.
​Likely possible, but at least very difficult without writing the tokenizer 
yourself instead of using register.tag​, and definitely not something one would 
like to do in a security patch, I agree.
Since the previous behaviour of allowing callables was in place already in 
2005, (I could find 
https://github.com/django/django/commit/ed114e15106192b22ebb78ef5bf5bce72b419d13#diff-e05e2e8efbf1fa5eea1ffee16cc8b740cba7b1bff746b2e55cebf968a0983f2cR192,
 where the filter is introduced), I would argue that even though it may not 
have been explicitly documented that this syntax allows callables, I don't 
think it's far fetched to consider it to always have supported.

I would argue that the Django team always said that the documentation is the 
public API. Everything else works by luck. I even went as far as supporting 
lookups on objects (ie a list of objects as opposed to a list of dicts) because 
I assumed that people would use that often (and the docs clearly say this 
filter is for dicts).
​Yes, indeed, Django's position has always been such, and I think that's in 
general a very good position.
However, before creating a ticket, I was wondering what the sentiment of 
django-developers is here. My own sentiments are summarized by what's also 
mentioned in the announcement blogpost.

>From a security PoV I think this is not going to fly. The main issue here is 
>that dictsort should perform a rather limited subset of normal template 
>variable resolution -- if we were going to support callables again we'd have 
>to also support `alter_data` etc (which is forbidden in templates) and then we 
>are basically back to what the previous code did. We opted for the most 
>limited subset possible while allowing a relatively wide range of code to keep 
>working, I don't think adding more features to that filter is feasible.
​I think this is where I differ of opinion. The question to me is whether 
dictsort should perform a rather limited subset of normal template variable 
resolution or not, and would myself have chosen to update the documentation 
instead of changing the implementation. However, I expect you to have discussed 
this internally in the security team as well, and you've landed on a different 
conclusion than I would have. Given my experience with communicating with the 
security team before, I know I can trust that your decision is the right 
decision for Django.
>  As a reminder, all untrusted user input should be validated before use.

As an example, even with the change, {% for user in users|dictsort:"password" 
%} would still be supported, which is still be counted as potential information 
disclosure.

There is a massive difference though. Being able to sort by every index inside 
the password means that you need to control far less password hashes than in 
your example to get a useful result. To be honest I do not think it is very 
realistic to use that attack on the password; but it might be usable for 
shorter api  tokens or so that you can also view in plaintext.
​Yes, agreed. Being able to sort by any arbitrary index of an API key would 
indeed be problematic from a security PoV.
 I hope that helps.

Cheers,
Florian
Yes, thank you for your reply. Very much appreciated.

Kind regards,
Sjoerd Job Postmus

-- 
You received this message because you are