>From my perspective, this issue is about silent data loss, which is about one of the worst bugs you can have and one that Django typically tries very hard to avoid or fix, even if it breaks compatibility.
It is extremely easy to cause silent data loss with the behaviour being discussed. For whatever reason, if a field is not provided in the request data, then Django is assuming it is an empty string and overwriting existing data. Sure, if you're in complete control over your backend and frontend and you explicitly tell your model forms which fields to *include* (not exclude), you can protect yourself against *one* scenario where additional fields are added to a model but the developer forgets to update the corresponding form class. But that's not the only scenario. If you *exclude* fields, then new fields added to the model will still be included automatically, and if the form data doesn't include them, there could be silent data loss. And the client submitting data could be completely outside the control of the backend developer. Either it's managed by another developer or another team, or it's entirely 3rd party code that the backend developer doesn't even know exists. Explicitly defining which fields to include or exclude won't help prevent silent data loss here. Cheers. Tai. On Tue, Jan 23, 2018 at 10:13 AM, Curtis Maloney <cur...@tinbrain.net> wrote: > On 01/22/2018 06:03 PM, Anupam Jain wrote: > >> Wow - I just realised that we have been losing data for sometime on our >> web platform since there were some fields in the ModelForm that were hidden >> and not being sent. They were all being overwritten as blank values. Thank >> God, we use django-reversion to track changes. Will take us sometime to >> recover the data though. >> > > Just something vaguely related that this post prompted in me ... > > My general guide is... if you're using hidden fields, then you're probably > doing it wrong. > > There are very few valid cases for passing data in hidden fields. In most > cases you really want to exclude the fields from the model. This has the > added benefit of protecting from a malicious user who edits the values of > the hidden fields. > > A ModelForm will _only_ update fields on the model that it has fields for. > No matter what the user - or your code [such as clean functions] - manages > to get into the cleaned_data dict. > > -- > Curtis > > -- > You received this message because you are subscribed to a topic in the > Google Groups "Django developers (Contributions to Django itself)" group. > To unsubscribe from this topic, visit https://groups.google.com/d/to > pic/django-developers/w8UKCLjOMpg/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > django-developers+unsubscr...@googlegroups.com. > To post to this group, send email to django-developers@googlegroups.com. > Visit this group at https://groups.google.com/group/django-developers. > To view this discussion on the web visit https://groups.google.com/d/ms > gid/django-developers/f06e134e-f596-3938-0bdf-daea0a56d505%40tinbrain.net. > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAEJB-EOZX8BuTAXKX63zUmP3XwtaPuwSgajXF7gO%2BVBd%2BHJ2hQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
