(I received the message I'm replying to here with an empty subject, and detached from the thread. Google Groups being funny?)
On Monday 15 June 2015 22:52:09 Rick van Hattem wrote: > On 15 June 2015 at 21:34, Florian Apolloner <[email protected]> wrote: > > On Monday, June 15, 2015 at 7:07:38 PM UTC+2, Rick van Hattem (wolph) > > > > wrote: > >> Would anyone oppose a pull request like this? > > > > Yes, it is highly backwards incompatible for not much gain, I am also > > usually just fine with one/two fields for list_display. You could just > > use your own admin subclass for that. > > Can you clarify on that? I don't see the backwards incompatibility here. > It could quite easily cause breakage for specific client-side code, although I wouldn't consider that "highly" incompatible. However, it could also easily lead to inappropriate data exposure -- where people who are supposed to get an "opaque" view of some objects will, upon upgrade, be able to see all their details. I consider that risk to weigh much more than the potential gains. > > The discussion here shouldn't be whether you can or cannot fix it yourself > (obviously, you can, that's not the issue), it's what a good/sane default > would be. For brand new Django users, would it be more convenient to have 1 > column or just all local columns and make it slightly more usable? > Beside "convenient", you should also consider "safe", and besides brand new users, there are also established users with significant codebases. Now, arguably, if we were starting the Django project today, we could use the default you propose, people would be aware of it, and if they wanted to limit access, they would. One could still argue that "whitelisting" is better than "blacklisting", and we could have a whole discussion about this. But having a Django upgrade just expose more data by default, even in the Admin, would be a serious breach of our users' trust IMO. Shai.
