ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6559/python/rule.adoc
Fred Tingaud 16f6c0aecf
Inline adoc when include has no additional value (#1940) 
Inline adoc files when they are included exactly once.

Also fix language tags because this inlining gives us better information
on what language the code is written in.
2023-05-25 14:18:12 +02:00

63 lines
1.9 KiB
Plaintext
Raw Blame History

This rule discourages the use of `exclude` or `__all__` with ModelForm in Django and suggests using fields instead.
== Why is this an issue?
In Django, when creating a `ModelForm`, it is common to use `exclude` to remove fields from the form. It is also possible to set the `fields` value to `__all__` to conveniently indicate that all the model fields should be included in the form. However, this can lead to security issues when new fields are added to the model, as they will automatically be included in the form, which may not be intended. Additionally, `exclude` or `__all__` can make it harder to maintain the codebase by hiding the dependencies between the model and the form.
== How to fix it
Developers should use the "fields" attribute instead of "exclude" or "all" when creating ModelForms in Django. This ensures that all fields are explicitly listed and makes it clear what fields are included in the form.
=== Code examples
==== Noncompliant code example
[source,python]
----
from django import forms
class MyForm(forms.ModelForm):
class Meta:
model = MyModel
exclude = ['field1', 'field2'] # Noncompliant
class MyOtherForm(forms.ModelForm):
class Meta:
model = Post
fields = '__all__' # Noncompliant
----
==== Compliant solution
[source,python]
----
from django import forms
class MyForm(forms.ModelForm):
class Meta:
model = MyModel
fields = ['field3', 'field4']
----
== Resources
=== Documentation
https://docs.djangoproject.com/en/4.1/topics/forms/modelforms/[Django ModelForm documentation]
https://docs.djangoproject.com/en/4.1/ref/forms/fields/[Django form fields documentation]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
* Set the fields of this form explicitly instead of using "__all__".
* Set the fields of this form explicitly instead of using "exclude".
'''
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink