Don't use `__all__` - Software Crafts

One thing I often see Django developers do when creating Django forms or Django Rest Framework Serializers is to use the __all__ shortcut to specify all fields from the Model. Personally I would remove this as an option as it encourages 2 bad practices IMO.

Firstly this introduces a security risk of leaking information later in the codebase's life. When at a later date a new model field is added, but doesn't want to be exposed to this form then __all__ leads to this happening more easily. It is the same reasoning as to why exclude shouldn't be used on Forms or Serializers.

Secondly, you might think it's a handy shortcut since you are just repeating information. However the list of fields in a Form represent a fundamentally different concept in your app. Model fields declare how data should be stored in your database, a Form doesn't represent this, but what data a user ought to be inputing into a webpage. These are related but not the same. A quick example of this is agreeing to T&C's, in the database it is often best to store this as a DateTimeField, where as Form would simply require a checkbox. The same would go for fields that get populated on model save etc.