id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
24977	Template variables with a value of None are considered to be == to non-existent properties	Daniel Quinn	Tim Martin	"This bit me today and I thought I'd point it out since I would consider this a bug

{{{
{% if user.pk == some_undefined_value %}
  This is rendered if user is not logged in
{% endif %}

{% if user.pk == some_object.some_invalid_property %}
  This is also rendered if user is not logged in
{% endif %}
}}}

It's understood that the template shouldn't flip out with an exception in the event that we're trying to access an undefined value, but when testing against these in an `{% if %}` block, some very scary stuff can happen.

In my case in particular, I had something like this:

{{{
{% if user.pk == product.product_owner_id %}
  This is private data
{% endif %}
}}}

Changing the attribute name `product_owner_id` to something like `owner_id`, now accidentally leaks private data to unauthenticated users because the templating engine considers `None` equal to what is effectively an `AttributeError`.

What's worse, if you try to render these two values, you get `None` and `""""`, so they're not even equivalent when cast as a string."	Cleanup/optimization	closed	Template system	1.7	Normal	wontfix	string, if, equivalence		Accepted	1	0	0	1	0	0