Malcolm Tredinnick wrote:
> On Wed, 2006-10-11 at 21:33 -0500, Patrick J. Anderson wrote:
> [...]
>> I guess the concept of approving members needs to be refined. My project
>> has some "special" requirements and this is one of them.
>
> There's no problem with special requirements. My point was that it's not
> at all secure to include that value as a hidden input form variable. If
> it should be set to False upon creation, do that in the save() method or
> in the view function that processes the form submission. Putting the
> value in the form and trusting what is submitted means that people will
> be able to approve themselves if they have a few clues about how web
> form submission works and the inclination to do so.
>
>> On the value of {{ object.is_approved }}: I see None for "Unknown", 1
>> for "Yes" and 0 for "No". I'm not sure why either.
>
> I guess one question to ask here is whether "object" in your example is
> a form manipulator or the model instance itself. If it's a form
> manipulator, then you are reference a form field instance, not the model
> field. If it's the model field, I would expect the value in a template
> to be the same as the value if I print object.is_approved at a shell
> prompt (which will be a boolean or None). Looking at what you are
> reporting, it sounds like you are referencing a manipulator there, which
> changes things.
>
> Regards,
> Malcolm
>
>
>
> >
>
Thanks for your comments, Malcolm. I realize that a determined person
could submit an altered form and edit other profiles.
I guess this is not a Django-specific question, but what would be the
best way of preventing that from happening?
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-users
-~----------~----~----~----~------~----~------~--~---
