On closer inspection, isn't your alternative inspection taken care of
by the security_hash(...) method ? In which case, all I want is for
revalidation to be skipped ? Can't I simply add a method, which could
be overridden in subclasses which says;
def revalidation():
return True
And wrap the revalidation logic in a conditional using this method (in
django/contrib/formtools/wizard.py);
# Validate all the forms. If any of them fail validation,
that
# must mean the validator relied on some other input, such
as
# an external Web site.
# ADDING THE FOLLOWING LINE
if self.revalidate():
for i, f in enumerate(final_form_list):
if not f.is_valid():
return
self.render_revalidation_failure(request, i, f)
return self.done(request, final_form_list)
And then my (and others) subclasses can simply implement revalidate to
return False ?
Thoughts ?
Thanks,
Greig
On Apr 4, 12:33 pm, Tim Chase <[EMAIL PROTECTED]> wrote:
> > I am using a FormWizard with two simple forms. The first form
> > has some complex validation to do on two of the fields, so I
> > put that code in clean(). That all works fine.
>
> > After the second form has been submitted, it appears that the
> > clean() is called on the first form again. This happens
> > before the done() method on the Wizard itself. Obviously with
> > an expensive (time) validation I don't want to do it twice.
> > Is there some way to do once only validation on the first form
> > in a FormWizard ?
>
> In general, you want to validate every datum on every request.
> This prevents people from modifying the hidden fields used to
> hold the 1st form when they submit the 2nd form. However, as you
> describe, it might not be feasible if some complex calculation
> occurs. A couple possibilities that occur to me:
>
> You could only clean the 1st form if you're coming from the 2nd
> form (skip cleaning on the 1st form). That saves you from doing
> it the 1st time rather than the 2nd time. However, if your 2nd
> form depends on trusting information in the first form, this
> won't work.
>
> Alternatively, you could add a secured MD5/SHA1 hash to the be
> included in the hidden fields that verifies that the given data
> has been cleaned already. You would combine all your fields, a
> salt, and a secret in a predictable order, and then get the
> MD5/SHA1 of that content. Then instead of whatever your
> complicated check is, you can just recombine your fields, your
> salt, and your secret (in the same order), and check the MD5/SHA1
> hash across them. If they match, all is good. If they don't
> match, the user has altered the hidden form data and you can
> either error out, or do the recalculation of the first form.
>
> -tim
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---
