Hi,
At the moment, it's to possible to retrieve more data in the
templates using method calls like all() [1]. While this may be fine
in controlled environments, it may pose a risk at services where you
have to deal with user supplied templates (think of a service like
Typepad). An user might use the method calls to access data which he
isn't supposed to.
Now, I like to know what I have to do to a) disable method calls in
the templates or b) to disable specific method calls like all() in
templates without breaking too much.
Generally, I would favor a solution where the access to every method
is prohibited but where I can still explicitly flag a method as
accessible.
Regards,
A.
[1] {% for item in foo.bar.all %}
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---
