I agree with this. HTTP 500 error should not occur due to users attempting to subvert the system somehow. HTTP 500 errors should only be returned when an unhandled exception occurs (which shouldn't happen).
Cheers. Tai. On Tuesday, 10 April 2012 21:34:07 UTC+10, 3point2 wrote: > > The admin site allows the use of certain query strings to filter > change list pages. The syntax follows queryset field lookups, for > example http://mysite.com/admin/myapp/mymodel/?field__exact=test. > Lookups that are not specified on the ModelAdmin's list_filter option > raise a SuspiciousOperation exception. This is done to prevent a > normal user from obtaining sensitive information (e.g. password > hashes). > > In production use, I'm not sure that returning an HTTP code of 500 > (internal server error) and emailing the server admins is an > appropriate response to a user manipulating the query string. > > I think that 403 (forbidden) would be more accurate. In my mind, 500 > suggests that something went wrong on the server, for example an > unexpected condition or exception in the application code. In this > situation, this is not the case. Django is deliberately forbidding a > user from accessing information for which they have not been > authorized. > > Any thoughts? -- You received this message because you are subscribed to the Google Groups "Django developers" group. To view this discussion on the web visit https://groups.google.com/d/msg/django-developers/-/Rs6SW74LU2QJ. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
