#17942: JSONResponse class for API responses
-------------------------------+-------------------------------------------
Reporter: leahculver | Owner: LukaszBalcerzak
Type: New feature | Status: assigned
Component: HTTP handling | Version: master
Severity: Normal | Resolution:
Keywords: dceu13 | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
-------------------------------+-------------------------------------------
Comment (by LukaszBalcerzak):
- The reason I added `JSON_RESPONSE_DEFAULT_ENCODER` is that if there is
no possibility to set it globally, user would most probably create own
subclass of `JsonResponse` if need to use another encode in most cases
(and we are adding this class so user won't have to create their own). I
can remove it if someone feels like it's not necessary (or we can mark the
ticket for design decision request). This was in fact a setting I was not
really sure if is 100% needed but would be nice for users that in example
would create own encoder that can consume model or queryset.
- As for `JSON_RESPONSE_ALLOW_DICTS_ONLY`: security flaw would be created
if i.e. some view is CSRF vulnerable and returns top-level Array object,
and user uses pre-EcmaScript5 compliant browser. Attacker could prepare
malicious page with a request to that page. Normally, attacker would not
be able to retrieve data from such request but with patched Array it is
possible. See http://flask.pocoo.org/docs/security/#json-security to get
more information and quite precise example.
- single prefixed names are used through whole `HttpResponse` constructor.
I can make it public but then it becomes part of the interface and
changing it would be more difficult in future
- yep, please update documentation if you can!
- am not aware of that. Can you point me to the related
mails/discussions/ticket or tell that with 100% certainty? In addition -
if I would change newly added code snippet now styles would be mixed. I
believe this is responsibility of the one who would need to merge changes
and find them conflicting with master branch.
--
Ticket URL: <https://code.djangoproject.com/ticket/17942#comment:8>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
