Re: Forms submitted by bots

We had the same problem and didn't want to use recaptcha because it's too hard for some users (ie. senior users). So, we used django-simple-captcha, but that didn't stop some of the bots. Our SecOps produced automated captcha parsing scripts so that we could fine-grain configuration, and found

Re: [Probably BUG] set_password and check_password accept values other than string as parameters

I agree with Adam, but in this case it seems to pose a security risk in case of user mistake, as such, raising a ValueError would have protect against the mistake of passing empty passwords, unless you consider empty passwords a feature of course in which case please dismiss my email. -- You r

Re: Discuss ticket 20264: URLValidator should allow underscores in local hostname

> when there are many sites in the wild that use underscore in their domain > name. Can you share some examples please ? In general, we should abide by standards unless we have a really good reason. In my experience I always had to replace underscores by dashes for a reason or another in hostn

queryset.iterator() and prefetch_related()

Hi all, I notice a piece of code inside ModelChoiceIterator that seems to keep going a bit back and forth, currently it looks like this: # Can't use iterator() when queryset uses prefetch_related() if not queryset._prefetch_related_lookups: queryset = queryset.iterator() But

Re: queryset.iterator() and prefetch_related()

Sorry I sent the mail prior to finishing, redoing fully from here: I notice a piece of code inside ModelChoiceIterator that seems to keep going a bit back and forth, currently it looks like this: # Can't use iterator() when queryset uses prefetch_related() if not queryset._prefet

Re: queryset.iterator() and prefetch_related()

We've decided to open a ticket and MR for it: https://github.com/percipient/django-querysetsequence/issues/67 (that would happen this weekend) If there's any objection please let us know. Have a great day ‐‐‐ Original Message ‐‐‐ Le mardi, avril 28, 2020 6:39 PM, 1337 Shadow Hacker <1

Re: queryset.iterator() and prefetch_related()

Well that's good to know, thank you charettes ! Does that mean that the piece of code from forms that's using "private" API from QuerySet is going away in the next Django version ? In this case, we probably don't have to do anything on our end ? -- You received this message because you are sub

Re: queryset.iterator() and prefetch_related()

Awesome, thank you so much charettes. We're implementing the "private" attribute meanwhile so there's no rush. Have a great day -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this gro

Re: Management of static assets

Le samedi, mai 9, 2020 10:39 PM, Aymeric Augustin a écrit : > Perhaps Django could standardize a way to accumulate a list of CSS and JS > assets to include in a page, which could then be rendered in HTML, perhaps > after optimizations (provided by third party apps). The Cubic web framework ha

./manage.py settings

Hi all, So, just on #django IRC channel there was a user trying to help another one, asking for some settings through ./manage.py shell etc ... A discussion that went kind of like "Print out your settings" "How would I print, I tried that, I'm in settings.py" "With ... print()" "but in the shel

Re: ./manage.py settings

It wasn't discussed indeed, nice command, thank you ! -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+un

Re: Management of static assets

Web components are now standard HTML without JS frameworks, so that could be supported by Django. In which case, even StencilJS tsx components would work out of the box. Prior to rendering, a middleware could scan the response and add the registered scripts/styles for the custom HTML tags it fi

Re: Making startproject's settings more 12-factor-y

Do we really need DJANGO_ prefix on env vars ? In my first years of practicing 12-factor I used such prefix, but the last 5-6 years I let it go, because I just ended up with a list full of DJANGO_ variables in a containerized where only Django is running. -- You received this message because y

Re: Making startproject's settings more 12-factor-y

All right, thank you for your feedback. May I throw in the idea of using DJ_ instead of DJANGO_ as prefix ? -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving

Admin webcomponents

Hello everybody, Currently, the admin site provides various form fields, and formsets, that depend on JS scripts. These are loaded by form media. Nowadays, webcomponents have made it into standard HTML, all browsers now support: - Custom Elements: https://w3c.github.io/webcomponents/spec/cust

Re: Admin webcomponents

I cannot state how excited I am to see such as seasoned Django hacker as Jacob being up for the task. I believe I'm not the only one who have had, for a long time now, a vision for Django where the effort in the django.contrib.admin becomes usable outside the admin and end up beating Rails on ge

collectstatic content hash

Currently, if yourscript.js is served with {% static 'yourscript.js' %}, you open the page in your browser, then change some HTML and yourscript.js and redeploy, reload the page without refreshing browser cache manually then you will see the new HTML with the old version of yourscript.js. This

Re: collectstatic content hash

Sorry, just figured Django already has that ! https://docs.djangoproject.com/en/3.0/ref/contrib/staticfiles/#manifeststaticfilesstorage -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from th

Re: Admin webcomponents

Hi all, We got a working PoC here: [https://github.com/yourlabs/djwc](https://yourlabs.io/oss/djwc) Advantages: - no more nodejs - no more webpack - no more form.media - as such, much more reusable - no more manual asset management in templates - works with components of any framework that can

Re: Good example of settings_changed signal usage

disconnect/reconnect signals maybe ? -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googleg

Re: Admin webcomponents

Another advantage that I figured while finishing the DAL 4.0 PoC offering the AutocompleteLight WebComponent support in addition to Select2: - easy to template with Example: def render(self, name, value, attrs=None, renderer=None): choice = self.field.queryset.filter(pk=value).first() deck = s

Make tag name a variable in form templates

Hello Currently, we can set attributes on widgets during runtime but the input tag name is hardcoded: https://github.com/django/django/blob/master/django/forms/templates/django/forms/widgets/input.html Which means that you currently have to copy the input.html template for every web component.

Re: Make tag name a variable in form templates

The type attribute might not be relevant to most custom elements, but they don't matter: if they are not supported then they will not be used. Thank you for your interesting suggestion, do you think it is better to create a widget class per custom element instead of just switching the template_n

Re: Make tag name a variable in form templates

Sent with [ProtonMail](https://protonmail.com) Secure Email. ‐‐‐ Original Message ‐‐‐ Le jeudi, juillet 23, 2020 6:53 PM, Adam Johnson a écrit : >> do you think it is better to create a widget class per custom element >> instead of just switching the template_name variable or just setti

Re: Make tag name a variable in form templates

For those who haven't followed, I'll try to re-explain prior to showing example code: Currently, we can change the attrs declaratively without going through whatever override/boilerplate. In 2020, we can use custom elements, which means that we also need to change the tag name. We don't need

Re: Auto-installation of 3rd party packges

There is https://gitlab.com/nerdocs/gdaps There has been discussion about this in the past about app auto-configuration (a feature CakePHP has): https://groups.google.com/g/django-developers/c/Lr4br0OzMQE/m/41hP7kaTAQAJ -- You received this message because you are subscribed to the Google Grou

Re: Auto-installation of 3rd party packges

About your package, I wouldn't have gone "injecting code" in settings, but rather leverage the entry points packaging feature or at least the AppConfig feature. class DJDTConfig(AppConfig): def setup(self, settings): if settings.DEBUG: settings.MIDDLEWARE.append('debug_toolbar.middleware ...')

Re: Add verbosity option to manage.py checks that outputs which checks are ran

Absolutely agree that a verbosity or debug option should print ... debug info. -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email

Re: Auto-installation of 3rd party packges

Sent with [ProtonMail](https://protonmail.com) Secure Email. ‐‐‐ Original Message ‐‐‐ Le vendredi, juillet 24, 2020 7:01 PM, David Rashty a écrit : > Nice! And thanks for sharing! I like this idea too. Why did you include "if > settings.DEBUG" by the way? For the sake of the example

Re: Make tag name a variable in form templates

If I understand correctly: - changing attrs declaratively is "clean enough" - changing the tag input declaratively is "not clean enough, a custom widget and template must be done" This seems contradictory to me. Should I subclass every widget to add a custom template that allows changing the t

Re: Make tag name a variable in form templates

You're absolutely right, except that I'm not trying to contribute a datepicker in Django, i'm not trying to make a reusable datepicker, I'm just trying to change the tag name as easily as I can change the tag attributes because it's now a valid W3C standard. -- You received this message becaus

Re: Make tag name a variable in form templates

There is no consistent philosophy that lets us change tag attributes but not tag names once it's valid HTML. These templates were not made for custom elements because they didn't exist, but it turns out supporting the custom element W3C standard is super easy: just let users set the tag name li

Re: Make tag name a variable in form templates

Wait a minute you, are you suggesting that we should have a Python API to generate HTML tags (like, Ryzom, Iommi, and many others) and build on that instead of templates for widgets ? I wouldn't have asked for so much, but I really love this idea, as someone who is deeply bored by templates, wh

Django default input validation accepts special caracters

Currently, when you order a security audit on a Django project from any of the firms I've seen so far (including my own), all inputs fall short on stuff like: "First name input: allows special caracters such as <>/"' which may cause a security issue with further developments done on the same dat

Re: Django default input validation accepts special caracters

Well, at least in my country there's a law that tells what characters are allowed in names, anyway, a single name field would be cool but off topic here: "first name" was used here as an example to illustrate that Django projects are audited as insecure because there is no input validation at al

Re: Django default input validation accepts special caracters

Thanks for the comment Florian, it's just basic hygiene really, don't leave open ports you don't need, never trust user inputs for characters they don't need, and so on. -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django it

Re: Django default input validation accepts special caracters

And I'm sorry if I offended Mister alert("pwnd") :) -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsu

Re: Django default input validation accepts special caracters

> Input validation is performed to ensure only properly formed data is entering > the workflow in an information system, preventing malformed data from > persisting in the database and triggering malfunction of various downstream > components. Input validation should happen as early as possible

Re: Django default input validation accepts special caracters

Opened an issue on the OWASP project, reporting the reasoning of the consensus made on this mailing list as best as I could: https://github.com/OWASP/CheatSheetSeries/issues/472 Please feel free to comment or request changes on the issue. -- You received this message because you are subscribed

Re: Django default input validation accepts special caracters

> This may be true - not all people have first_name & last_name or want to use > them online. But it's also convenient to be able to call a person by their > first name, and also allow them to use their full name on the website. I completely agree with you, for example on dating sites like speed

Re: Django default input validation accepts special caracters

> Backwards compatibility is the bigger concern here. I understand that, I believe there is always a way, because prior to 2008 when I switched to Django, I was commiter on a PHP library group that not only had the best code quality: but COMMITS to maintaining BC. Code that I have made prior to

Re: Translation templatetag aliases

If you use autocomplete then typing "{% tr" should propose both translate and translateblock which reduces the chances to pick the wrong one because the other choice did not show up -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions

Re: Django LTS support time

Hi, Lean Sensei practicing Django since 2008 here. Have tried all sorts of strategies, the one that offers the best effort/ROI ratio is to upgrade as soon as a new version comes out, even if that means contributing patches to dependencies and deploying forks until patches are released. Best of

Re: Django Websocket Implementation Request

> They're not that popular actually, it seems... They might become more popular, when they work behind proxies ... a limitation which you usually figure out after your first important client tries to connect from behind their corporate proxy, then you can implement polling again - a fallback th

Re: Display labels for autocomplete fields

>> Would it be possible to add a `search_display_fields` on the relevant >> ModelAdmin, alongside `search_fields` to customise the display in the form >> select box? This could be either a model field or a callable on the model or >> modeladmin. Another suggestion is to add get_FIELD_autocomple

Re: Make Development More Accessible

Given the number of Open Pull request, does Django craves more contribution quantity, or quality ? Not the same focus -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop

Re: Django LTS support time

This reminds me when m$ agreed to sponsor an open source rewrite of one of their languages, and asked the devs to reproduce the same bugs that were in the closed source version, and then went on and sold that as a feature. If there are people who are willing to maintain old versions for money th

Re: Django LTS support time

Actually I'm pretty sure it could be done even if DSF kept a profit, to re-inject it into other developments for exemple. AFAIK the major difference between non-profit and company is that you don't own it and as such you cannot take dividends out of it personally. IMHO everybody would benefit if

Re: Form customization

Try tri.forms maybe The main problem IMHO is that rendering is stuck in a template system, rather than components that could leverage the decorator pattern as it's known to be better for UI programing (cf. GoF, React & friends success) ‐‐‐ Original Message ‐‐‐ Le dimanche 6 octobre 2019