Re: [Django] #26142: Provide a way for model formsets to disallow new object creation

Tue, 10 May 2016 06:56:02 -0700 

#26142: Provide a way for model formsets to disallow new object creation
-----------------------------+------------------------------------
     Reporter:  timgraham    |                    Owner:  Mortal
         Type:  New feature  |                   Status:  assigned
    Component:  Forms        |                  Version:  master
     Severity:  Normal       |               Resolution:
     Keywords:               |             Triage Stage:  Accepted
    Has patch:  0            |      Needs documentation:  0
  Needs tests:  0            |  Patch needs improvement:  0
Easy pickings:  0            |                    UI/UX:  0
-----------------------------+------------------------------------

Comment (by dsanders11):

 Can you expand on that a little? Looking at the formset code, if the form
 number is less than the initial form count, it uses
 `save_existing_object`. Since `validate_max` prevents any forms above
 initial form count from being a valid formset, the only way a new object
 could be created is if `save_existing_object` could create new objects,
 which would be a bug in itself probably.

 Playing with it in Chrome, providing a blank value for the PK of one of
 the objects in the formset will cause an error when
 [https://github.com/django/django/blob/master/django/forms/models.py#L605
 trying to use to_python on the PK value] since the value is blank and an
 integer is expected. Even if that didn't fail, it would fail to find the
 object by its PK in the queryset.

 Providing a bogus value for the PK will also
 [https://github.com/django/django/blob/master/django/forms/models.py#L588
 fail to look up in the queryset] on the formset. This also occurs if you
 use a PK for an existing object that isn't in the queryset, which is good,
 otherwise you'd be able to modify objects outside the queryset which would
 be very bad.

 So, I'm not sure I see the path where new objects can be created if
 `validate_max` is set and `max_num` is 0. Doesn't mean it's not there, but
 it's not immediately obvious how that could occur.

--
Ticket URL: <https://code.djangoproject.com/ticket/26142#comment:6>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.11504c3e8f5601d4a420440b3ac76a34%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to