Well... you were right. The problem was with my code. As a public service, the code below will expose the data of a logged in user for anyone viewing the site:
BAD code --------------------------------> view.py: def show( request, report_id ): report = get_object_or_404(Report, id=report_id) return render_to_response("reports/show.html", { "report": report, "update_form": ReportUpdateForm(user=request.user), context_instance=RequestContext(request)) form.py: class ReportUpdateForm(forms.ModelForm): class Meta: model = ReportUpdate fields = ('desc','author','email','phone','is_fixed') def __init__(self,data=None,files=None,initial={},first_update=False,user = None, report=None): if user and user.is_authenticated() and UserProfile.objects.filter(user=user).exists(): initial[ 'author' ] = user.first_name + " " + user.last_name initial[ 'phone' ] = user.get_profile().phone initial[ 'email' ] = user.email super(ReportUpdateForm,self).__init__(data,files=files, initial=initial) ----------------------------------------> ... I'm guessing because the 'initial' declaration in the form constructor prototype is not on the stack, like I would have thought. Changing the view to construct the ReportUpdateForm like so: "update_form": ReportUpdateForm(user=request.user, initial={}), puts the values on the stack, instead of in the apparently persistent dict declared in the constructor prototype. This was confirmed with a unit test: --------------------------------> def test_update_form(self): # check that default values are already filled in. c = Client() r = c.login(username='user1',password='user1') url = '/reports/4' r = c.get( url ) self.assertEquals( r.status_code, 200 ) self.assertContains(r,"Clark Kent") self.assertContains(r,"us...@test.com") self.assertContains(r,"555-111-1111") # check that default values are NOT already filled in # for a second anonymous client (problem in the field) c2 = Client() r = c2.get( url ) self.assertEquals( r.status_code, 200 ) self.assertNotContains(r,"Clark Kent") self.assertNotContains(r,"us...@test.com") self.assertNotContains(r,"555-111-1111") -----------------------> Which passes or fails according to the change above. Thank you for your advice. Jennifer On Oct 25, 2:36 pm, Daniel Roseman <dan...@roseman.org.uk> wrote: > On Monday, 24 October 2011 23:14:40 UTC+1, Jennifer Bell wrote: > > > On my site, some user data is automatically filled in to a form if a > > user is logged in by accessing request.user in the view code. > > > On deployment, it seems that if *any* user is logged in, forms > > requested via another browser will be filled in with their data. The > > data is not filled in if no user is logged in. > > > I'm mystified. Where is this coming from? I'm using django 1.3, and > > caching is not enabled in my settings (though I have set > > CACHE_MIDDLEWARE_ANONYMOUS_ONLY=True just in case). > > > The WSGIDeamonProcess is set up like this: > > WSGIDaemonProcess lalala user=lalala group=lalala threads=1 > > processes=3 > > > Is this apache? mod_wsgi? > > > Jennifer > > No, it's your code. You've got something somewhere that's providing default > arguments to your form, but is doing so at the module or class level rather > than per-request. You'd better show your form and view code. > -- > DR. -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.