Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ordering by excluded field not possible #607

Open
tadeck opened this issue Aug 9, 2012 · 3 comments
Open

Ordering by excluded field not possible #607

tadeck opened this issue Aug 9, 2012 · 3 comments

Comments

@tadeck
Copy link

tadeck commented Aug 9, 2012

As far as I see, even if you explicitly mention in Resource's Meta some field that should allow ordering (by supplying it as element of the list in Meta.ordering property), you cannot actually sort by that field, if it is given within the Meta.excludes list of excluded fields.

The code responsible for such behaviour (and visible here) is here:

if not field_name in self.fields:
    # It's not a field we know about. Move along citizen.
    raise InvalidSortError("No matching '%s' field for ordering on." % field_name)

Is that intended behaviour? I would expect ability to sort by some field (by adding its name to ordering option), even if I do not want this field to be displayed in the output (which I currently fulfill by supplying its name into excludes option).
@dmacthedestroyer
Copy link

The implemented behavior seems the most reasonable to me... If you're excluding a field from being visible from the API, then from the perspective of the person consuming your API, it doesn't exist at all.

Do you have a particular scenario in which this behavior should be allowed?

@tolomea
Copy link

tolomea commented Aug 10, 2012

From a security point of view, the sorting leaks information about the
field, it is in effect showing the field in an obscured manner.

On Fri, Aug 10, 2012 at 6:10 AM, Daniel McDonald
notifications@github.comwrote:

The implemented behavior seems the most reasonable to me... If you're
excluding a field from being visible from the API, then from the
perspective of the person consuming your API, it doesn't exist at all.

Do you have a particular scenario in which this behavior should be allowed?


Reply to this email directly or view it on GitHubhttps://github.com/toastdriven/django-tastypie/issues/607#issuecomment-7634314.

@jiaaro
Copy link

jiaaro commented Jan 28, 2013

I'm using tastypie on a site that gives user content a "popularity score". I want to allow sorting results by popularity without exposing the actual numerical scores.

Mainly because they're not useful for anything except sorting and only serve to make the api responses less understandable, but also because I don't want to make it too easy to figure out the popularity scoring in an attempt to game the system.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jiaaro @dmacthedestroyer @tadeck @tolomea