Hi,
I'm full of questions tonight.
My team is working a project to automatically generate a webservice API from django models. It makes extensive use of manipulators for providing input validation.
I hit a bump today with the tight coupling between automatic manipulators and the admin interface. I turned edit_inline on for a pair of related objects, and shazam! My API started exposing the inline relationship, which while it makes sense for an admin interface, makes no sense at all for binding to and interacting with server-side objects.
This functionality seems wierd to me. Even in a normal scenario where someone is using the automatic manipulators for a traditional HTML form, this magic behaviour could lead to some horrible bugs:
1) developer writes a pretty form for their Foo model using manipulators
2) developer forgets about this form and moves on
3) time passes and an admin asks to use that way cool django inline editing to make it easier to manage the relationship between Foo models and Bar models.
4) Developer turns inline editing on, and sets Bar's fields to core=true
Since the form from 2 presumably wouldn't have hidden fields to store all the Bars that are related to a Foo, that form could silently delete Bars from the database, based on my understanding of how Manipulators are working... The form would be rendered without the information for the Bar relationships, and when it's submitted the manipulator would delete the objects since their core fields are not specified. This seems a bit dangerous, no?
Perhaps the manipulator won't do the cascading delete because the fields are not present at all, but that's only marginally better. Someone could still hack the form and manipulate Bar models unexpectedly.
It's quite nice that the inline ediiting capability is exposed to other apps besides admin, but shouldn't a developer have to ask for this (slightly counterintuitive) functionality explicitly? Is it really clear to developers that changing admin options can radically change how a model's manipulator's work? It sure surprised me!
Cheers,
~ol
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---
