Data leak

Question

Data leak

salvacarrion opened this issue 8 years ago · 4 comments

The ajax response returns all the fields of the model instead of just the fields associated with the requested columns. Is this the expected behavior?

Example:

class CarDatatableView(DatatableView):
    model = Car

    datatable_options = {
        'columns': [
            'reference',
            'name'
        ],
    }

returns all the fields to the client:

{
    "draw": "1",
    "recordsFiltered": 1196,
    "recordsTotal": 1196,
    "data": [
        {
            "0": "1",
            "1": "2712",
            "2": "Audi",
            "3": "A3",
            "4": "220",
            "5": "",
            "6": "00e380e3-832c-4979-ab66-fa2cff7e21b7",
            "DT_RowId": 1,
            "DT_RowData": {}
        },
[...]
}

salvacarrion commented 8 years ago

Thanks!

Answer 1 · 2017-06-19T20:14:07.000Z

It looks like you're using our latest github code if you're getting a JSON response with those field names. Is that correct?

Answer 2 · 2017-06-19T20:20:01.000Z

Yes, it is. Is there any quick fix so that I can make it work?

Answer 3 · 2017-06-19T21:08:23.000Z

You'll have to check the documentation site in the current README to see how the configuration options have changed. There's a migration guide there to help you get away from the legacy datatable_options syntax and begin using DataTable classes, which are like django's ModelForm and represent columns. In the simplest cases, you can still just whitelist columns for inclusion and shouldn't be too troublesome.

Basically the new syntax would look like this in your case:

class CarDatatable(Datatable):
    class Meta:
        columns = ['reference', 'name']

class CareDatatableView(DatatableView):
    datatable_class = CarDatatable