I spent Saturday on rewriting a Flask app in Django. The app in question was Nikola Users, which is a very simple CRUD app. And yet, the Flask code was a mess, full of bugs and vulnerabilities. Eight hours later, I had a fully functional Django app that did more and fixed all problems.

Original Flask app

The original Flask app had a ton of problems. In order to make it anywhere near useful, I would need to spend hours. Here’s just a few of them:

  • 357 lines of spaghetti code (295 SLOC), all in one file

  • No form data validation, no CSRF 1 protection (it did have XSS protection though)

  • Login using Mozilla Persona, which requries JavaScript, is a bit kludgey, and feels desolate (and also had me store the admin e-mail list in code)

  • Geopolitics issues: using country flags for languages

  • A lot of things were implemented by hand

  • SQLAlchemy is very verbose

  • no DB migrations (makes enhancements harder)

  • Languages implemented as a PostgreSQL integer array

  • Adding a language required running a command-line script and restarting the app (languages were cached in Python dicts with no way to reload them from the database; that would require talking through uWSGI anyway because there were multiple processes involved)

  • The templates were slightly hacky (the page title was set in each individual template and not in the view code); menus hacked together in HTML with no highlighting

  • Python 2.7

The rewrite

I started the process by opening Django documentation, with its wonderful tutorial. Now, I have written a couple basic Django apps before, but the majority of them didn’t do much. In other words, I didn’t have a lot of experience. Especially with taking user input and relationships. It took me about 8 hours to get feature parity, and more.

Getting all the features was really simple. For example, to get a many-to-many relationship for languages, I had to write just one line.

languages = models.ManyToManyField(Language)

That’s it. I didn’t have to run through complicated SQLAlchemy documentation, which provides a 13-line solution to the same problem.

Django also simplified New Relic integration, as the browser JS can be implemented using Django template tags.

Django is not without its problems, though. I got a very cryptic traceback when I did this:

publish_email = forms.BooleanField("Publish e-mail", required=False)
TypeError: "BooleanField() got multiple values for argument 'required'"

The real problem with this code? I forgot the label= keyword. The problem is, the model API accepts this syntax — verbose_name is the first argument. (I am not actually using the labels though, I write my own form HTML)

Still, the Django version is much cleaner. And the best part of all? There are no magic global objects (g, session, request) and decorator-based views (which are a bit of syntax abuse IMO).

In the end, I have:

  • 382 lines of code (297 SLOC) over 6 files — much cleaner, and with less long lines

  • form data validation (via Django), CSRF and XSS protection

  • Login using Django built-in authentication, without JavaScript

  • Language codes (granted, I could’ve done that really easily back in Flask)

  • Tried-and-true implementations of common patterns

  • Django models are much more readable and friendly

  • Django-provided DB migrations (generated automatically!)

  • Languages implemented using Django many-to-many relationships

  • Adding a language is possible from the Django built-in admin panel and is reflected immediately (no caching)

  • Titles and menus in code

  • Python 3

  • New features: featured sites; show only a specified language — were really easy to add

1

I had some CSRF_ENABLED variable, but it did not seem to be actually used by anything.