Admin controller using json gives a JsonEncodeError

TurboGears / tg2

Python web framework with full-stack layer implemented on top of a microframework core with support for SQL DBMS, MongoDB and Pluggable Applications

http://www.turbogears.org/

Other

806 stars 78 forks source link

Closed csmall closed 11 years ago

csmall commented 11 years ago

Try to go to any admin url with json, such as http://localhost:8080/admin/groups.json and it throws an error.

JsonEncodeError: You may not expose with JSON a list return value because it leaves your application open to CSRF attacks

The controller basically tales a sqlalchemy query and dumps it to the json encoder. I think the error is being thrown within DecoratedController.

Not sure what a list is a problem but a dictionary is ok, but there you go.

amol- commented 11 years ago

To correctly work it will required TG2.3 which provides JSON encoding support for paginated collections: https://github.com/TurboGears/tg2/commit/14156753a6f1dd7fab5f48ee5987b9d3c9d73ea1