I was somewhat surprised to find that filters are automatically generated for all model fields for the following filterset:
class UserFilter(FilterSet):
username = filter.CharFilter(lookup_expr='iexact')
class Meta:
model = User
>>> UserFilter.base_filters.keys()
['username', 'first_name', 'last_name', 'status', 'is_active', 'favorite_books']
I would have expected just the one username filter. It makes sense to me to deprecate this behavior in favor of using fields = '__all__' - similar to DRF's serializers and Django's ModelForms.
Aside from API consistency, there are all of the stated reasons for requiring a declared value. The security risk is smaller since filters can't alter data, but users could still unintentionally expose information about the data model or the data itself. e.g., you may not be able to view an employee's salary, but you could accidentally allow users to filter by it.
The implementation to support Meta.fields = None requires ignoring unrecognized field types, such as tests.models.SubnetMaskField. This prevents us from providing meaningful errors to the user. e.g.,
class NetworkSettingFilter(FilterSet):
class Meta:
model = NetworkSetting
fields = ['mask']
We should be able to inform the user that the field type is unrecognized, and that they need to use filter_overrides or alter the DEFAULTS. Currently, users get:
AttributeError: 'NoneType' object has no attribute 'model'
Thoughts?
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4