Hi, I'm with Carl in supporting option 3. I think have always thought that ModelForms were unsafe and requiring the fields option would go a long way to making them safer. I don't think I'm stupid and I've personally run into this issue. I have almost *NEVER* run into a case where I want all fields on a Model to be updatable by the user and I now always define the fields Meta attribute.
However, I'm not necessarily against leaving the current functionality in Django for a few releases but with warning messages. > So, to hit the problem the user would need to: > 1. Have a ModelForm with no field restrictions in Python. > 2. Render only part of the fields. > 3. All non-rendered fields must be null/blank=True for the form to > work at all. > 4. Not use the form in update views. No, the user would have to not miss of those things when developing. Having a field get updated to NULL when not in the HTML does not guarantee the developer will notice it. Maybe the field's default is NULL? Or NULL is a perfectly valid value and they just don't notice? I have been doing Django and Python for years at a high level and I have done this. On Tue, Jun 19, 2012 at 8:42 PM, Honza Král <honza.k...@gmail.com> wrote: > I believe exclude is way more useful than fields (I do see the > security advantage but in my mind this is the case where convenience > beats security, also still afraid of the fields = [f.name for f in > ...]). Personally, I don't think convenience EVER beats security in a framework like Django (if at all). This is the common "Oh but that will never happen to me!" syndrome. Sane defaults that can be overridden are going to always be better. -- Ian http://www.ianlewis.org/ -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
