Security question: Can Django templates be used to execute arbitrary code on the server?
Is it safe to keep Django template strings inside a TextField of a Django model and allow users with staff privileges to edit them? I'm asking because I'm unsure how safe/dangerous this could be. Would it be possible to abuse a built-in templatetag to execute arbitrary code on the server? What are possible attack scenarios? XSS for sure, but that's always possible to whom you allow to publish HTML on their servers. -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/13526179-50f4-45d1-953d-c272f1fb32bc%40googlegroups.com.
manage.py dumpdata for FieldFile serializes payload of file
Yesterday, I added a useful feature to *django-filer<https://github.com/stefanfoulis/django-filer> *, which allows to dump the payload of files together with their meta-data, when runningmanage.py dumpdata > dumpfile.json. A dumpfile which is reimported using manage.py loaddata dumpfile.json then restores the file on disk. This simplifies backups and migrations of projects using *django-filer* to manage their media data, since an administrator does not require additional tools such as zip or tar. It also makes backups less error prone, since everything is contained in one single file. More details here: https://github.com/jrief/django-filer/blob/serialize-payload/docs/dump_payload.rst and here: https://github.com/stefanfoulis/django-filer/pull/335 Stefan Foulis, the maintainer of *django-filer* considered: "But I'd really prefer a solution that works with django-filer and any other FileFields in the project." So my question is, if such an additional feature would be accepted on the main Django project, rather than only in an external app, such as * django-filer*. - Jacob -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users. For more options, visit https://groups.google.com/groups/opt_out.
Re: Django Shopping Cart
Have a look at https://www.django-cms.org/en/e-commerce/ -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: How to show list only in admin?
in your admin class, add class MyModelAdmin(ModelAdmin): def has_add_permission(self, request): return False def has_change_permission(self, request): return False etc. -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: Django's DecimalField represenation in admin as 0,00 values
Internally a price is always handled and stored as 0.00. Thats the way software and databases work. What you can do is to change the representation of your Decimal in your frontend and backend. In Django, changing this in the frontend its easy, just add USE_L10N = True to your settings.py and add localized=True to all occurrences of form fields handling a Decimal (see https://docs.djangoproject.com/en/1.4/ref/forms/fields/#localize) The problem is the backend, because you are not specifying these form field. What I do is to add a mixin class to my admin classes, as described here: https://github.com/divio/django-shop/pull/146#issuecomment-4720340 and here https://github.com/divio/django-shop/blob/master/shop/admin/mixins.py For your "2.1" problem, set decimal_places to 2 DecimalField. -- You received this message because you are subscribed to the Google Groups "Django users" group. To view this discussion on the web visit https://groups.google.com/d/msg/django-users/-/3W6XMRFdBFUJ. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Re: How to mix in class based views from pluggable apps?
OK, now I got it. Coming from C++ I was stuck too much in static inheritance thinking. The diagram in http://fuhm.net/super-harmful/ helped me to understand this issue. Thank you very much for your help! -- You received this message because you are subscribed to the Google Groups "Django users" group. To view this discussion on the web visit https://groups.google.com/d/msg/django-users/-/5YNg501CZwcJ. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Re: How to mix in class based views from pluggable apps?
Thank You, Roland, this was a good point to start with. I now found an elegant solution: I added a base DetailView class for this project: from django.views.generic import DetailView class PluggableDetailView(DetailView): def get_context_data(self, **kwargs): context = super(PluggableDetailView, self).get_context_data(**kwargs) for plugin in self.__class__.__bases__: if hasattr(plugin, 'get_extra_context') and callable(plugin.get_extra_context): context.update(plugin.get_extra_context(self, **kwargs)) return context def post(self, *args, **kwargs): for plugin in self.__class__.__bases__: if hasattr(plugin, 'handle_post_request') and callable(plugin.handle_post_request): plugin.handle_post_request(self, *args, **kwargs) now I can add plug-ins and add two methods get_extra_context shall return a dict of extra context data merged together with the default context. handle_post_request shall extract the plug-in specific post data and update the database or whatever else it must do. The DetailView of the main app then inherits from PluggableDetailView, additional plug-ins can be mixed in, but no extra code has to be written to extend the context or to handle post requests. class MainAppDetailView(PluggableDetailView, PluginAMixin, PluginBMixin): pass Does this approach make sense or did I reinvent the wheel? -- You received this message because you are subscribed to the Google Groups "Django users" group. To view this discussion on the web visit https://groups.google.com/d/msg/django-users/-/r_ZDUciOi6IJ. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Re: How to mix in class based views from pluggable apps?
But the mixin plugins are not derived from django.views.generic.DetailView, otherwise the main app's DetailView would obtain a diamond shaped inheritance. And django.views.generic.detail.BaseDetailView.get calls get_context_dataonly once, so I don't see how the plugins shall "deliver" their contexts. BTW, I found another solution. Cheers, J. -- You received this message because you are subscribed to the Google Groups "Django users" group. To view this discussion on the web visit https://groups.google.com/d/msg/django-users/-/FpplXSO5pBYJ. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
How to mix in class based views from pluggable apps?
Hi, currently I am writing a Django applications built up from loosely coupled plug-ins. Each of these plug-ins shall offer a class based view to handle get and post requests. For get requests the context shall be populated with plug-in specific data. For post requests, the plug-in specific posted data shall be handled by the corresponding view class. This of course is not difficult to achieve. The view class of the final app, which combines all these plugins, can overload the methods get_context_data() and post() and dispatch the requests to functions offered by these plug-ins. But I do not like this approach because it does not separate concerns and the author of the final app has to remember, how to dispatch these requests manually to the plug-ins. My question is, if there is there a more elegant solution, say a pattern, which does not require to duplicate the dispatching code for the mixin classes? Let me explain using some sample code: class MainAppDetailView(SomeBaseDetailView, PluginAMixin, PluginBMixin): model = MyModel template_name = "my_detail.html" def get_context_data(self, **kwargs): context = super(FinalAppDetailView, self).get_context_data(**kwargs) PluginAMixin(self).update_context(context) PluginBMixin(self).update_context(context) return context def post(self, *args, **kwargs): post_request = self.request.POST response = PluginAMixin(self).handle_post(post_request) if issubclass(response, HTTPResponse): return response response = PluginBMixin(self).handle_post(post_request) if issubclass(response, HTTPResponse): return response # handle post request for the main app ... return response For my point of view this example contains too much code duplication. Is there a pattern, so that I only have to modify the class declaration of my FinalAppDetailView or even better, only in my settings.py? Cheers, Jacob -- You received this message because you are subscribed to the Google Groups "Django users" group. To view this discussion on the web visit https://groups.google.com/d/msg/django-users/-/LCtaNYl94GMJ. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Re: Using filter for serialized model.Field's
Hi, as a workaround, I added an additional column (aka CharField) to store the hash of that JSON string. Then only the hashes have to be compared. Sure, this is not an elegant solution, as it adds redundant data to your database. If I would write SQL by hand, I could compare the JSON-string using the build-in md5() function. But this is not portable, since it would use two different hashing implementations, one in Python and one in MySQL. I did not test to restrict the query using '__contains', but I tested with '__exact' which in my opinion is more appropriate - but this did not help. So, the hashing field is probably the best workable solution. Thanks for your answer. -- You received this message because you are subscribed to the Google Groups "Django users" group. To view this discussion on the web visit https://groups.google.com/d/msg/django-users/-/b7N_UnuxcTcJ. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Re: Which IDE should I use for Django?
Eclipse + PyDev -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Using filter for serialized model.Field's
Hi,
I have i weird problem when using model fields JSONField and
PickledObjectField together with the filter function.
from jsonfield.fields import JSONField
from picklefield.fields import PickledObjectField
class Item(models.Model):
picklefield = PickledObjectField(null=True, blank=True)
jsonfield = JSONField(null=True, blank=True)
if I store a dict in this model
mydict = {'description': 'Hello', }
item1 = Item.objects.create(picklefield=mydict)
item1.save()
item2 = Item.objects.filter(picklefield=mydict)
item2.exists() # returns True, as expected
if however my dict looks like this
mydict = {'description': None, 'name': u'Color', 'id': 1L,
'option': 'red'}
...same code as above...
item2.exists() # returns False
Then I tested the same with JSONField. There, I also expect that item2
shall exists, but this function also returns False.
Then I tested with mydict as
mydict = [ 2, 3, 4 ]
item1 = Item.objects.create(jsonfield=mydict)
item1.save()
item2 = Item.objects.filter(jsonfield=mydict)
item2.exists() # returns True, as expected
BTW, this example also works with PickledObjectField.
I don't think its a bug in both implementations of JSONField and
PickledObjectField, because they always serialize to the same string.
Is this undefined behavior intentional and I missed to read some
documentation? How can I solve this, without having to serialize the
objects manually?
Any help is greatly appreciated.
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en.
