[Django] #33852: Ability to exclude a specific view or form from DATA_UPLOAD_MAX_NUMBER_FIELDS

[Django]

#33852: Ability to exclude a specific view or form from
DATA_UPLOAD_MAX_NUMBER_FIELDS
---------------------------------------+------------------------
Reporter: vskov147 | Owner: nobody
Type: New feature | Status: new
Component: Forms | Version: 4.0
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
---------------------------------------+------------------------
Use case & rationale:

We have a large, complicated CMS application. One of the advanced power
views this application has uses a form that requires an unusually large
number of fields. This particular view is only accessible by Admin users,
behind 2 separate authentication gates. So, we'd like that view to support
having this form with a large number of fields.

Having said that, given that one of the stated purposes of
DATA_UPLOAD_MAX_NUMBER_FIELDS is protection from DoS, increasing the
DATA_UPLOAD_MAX_NUMBER_FIELDS value for our entire app across the board
(or setting it to None to disable the check) seems counter-productive in
terms of security / DoS-protection.

I would really love to have a way to specify "hey, this particular view or
form is OK to use a myriad of fields" without affecting the rest of the
app. Hence the feature request!

Thank you very much for all the wonderful work y'all do with the Django
framework.

--
Ticket URL: <https://code.djangoproject.com/ticket/33852>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

[Django]

#33852: Ability to exclude a specific view or form from
DATA_UPLOAD_MAX_NUMBER_FIELDS

--------------------------------+--------------------------------------
Reporter: Victor Kovalev | Owner: nobody
Type: New feature | Status: closed
Component: Forms | Version: 4.0
Severity: Normal | Resolution: wontfix

Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

--------------------------------+--------------------------------------
Changes (by Mariusz Felisiak):

* status: new => closed
* resolution: => wontfix

Comment:

Thanks for this suggestion, however it seems to be really niche and not
worth maintaining by Django itself. I'm also not sure how forms with 1000+
fields can be filled by a human.

Please [https://docs.djangoproject.com/en/stable/internals/contributing
/triaging-tickets/#closing-tickets follow the triaging guidelines with
regards to wontfix tickets] and take this to DevelopersMailingList, where
you'll reach a wider audience and see what other think,

--
Ticket URL: <https://code.djangoproject.com/ticket/33852#comment:1>

[Django]

#33852: Ability to exclude a specific view or form from
DATA_UPLOAD_MAX_NUMBER_FIELDS
--------------------------------+--------------------------------------
Reporter: Victor Kovalev | Owner: nobody
Type: New feature | Status: closed
Component: Forms | Version: 4.0
Severity: Normal | Resolution: wontfix
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------+--------------------------------------

Comment (by Jonas Dittrich):

> I'm also not sure how forms with 1000+ fields can be filled by a human.

With (prefilled) Django's ModelMultipleChoiceField this can happen quite
easily. I'd consider reopening this ticket.
--
Ticket URL: <https://code.djangoproject.com/ticket/33852#comment:2>