Fixed #12070. Fixed a case where var._whatever wasn't raising a TemplateSyntaxError.

jkocherhans · jkocherhans · commit fd233f40d192 · 2010-02-23T18:50:57.000Z
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12539 bcc190cf-cafb-0310-a4f2-bffc1f526a37
diff --git a/django/template/__init__.py b/django/template/__init__.py
@@ -538,8 +538,6 @@ def __init__(self, token, parser):
                         var_obj = None
                 elif var is None:
                     raise TemplateSyntaxError("Could not find variable at start of %s." % token)
-                elif var.find(VARIABLE_ATTRIBUTE_SEPARATOR + '_') > -1 or var[0] == '_':
-                    raise TemplateSyntaxError("Variables and attributes may not begin with underscores: '%s'" % var)
                 else:
                     var_obj = Variable(var)
             else:
@@ -698,6 +696,8 @@ def __init__(self, var):
             except ValueError:
                 # Otherwise we'll set self.lookups so that resolve() knows we're
                 # dealing with a bonafide variable
+                if var.find(VARIABLE_ATTRIBUTE_SEPARATOR + '_') > -1 or var[0] == '_':
+                    raise TemplateSyntaxError("Variables and attributes may not begin with underscores: '%s'" % var)
                 self.lookups = tuple(var.split(VARIABLE_ATTRIBUTE_SEPARATOR))
 
     def resolve(self, context):
diff --git a/tests/regressiontests/templates/parser.py b/tests/regressiontests/templates/parser.py
@@ -76,6 +76,13 @@
 []
 >>> fe.var
 u'Some "Good" News'
+
+Filtered variables should reject access of attributes beginning with underscores.
+
+>>> FilterExpression('article._hidden|upper', p)
+Traceback (most recent call last):
+...
+TemplateSyntaxError: Variables and attributes may not begin with underscores: 'article._hidden'
 """
 
 variable_parsing = r"""
@@ -105,4 +112,10 @@
 >>> Variable(ur"'Some \'Better\' News'").resolve(c)
 u"Some 'Better' News"
 
+Variables should reject access of attributes beginning with underscores.
+
+>>> Variable('article._hidden')
+Traceback (most recent call last):
+...
+TemplateSyntaxError: Variables and attributes may not begin with underscores: 'article._hidden'
 """
