Actually, I told about server-side form processing, not client-side. When
client posts data, I always check permissions in a VIEW that receives it.
2009/10/20 Mike Ramirez <gufym...@gmail.com>
> On Tuesday 20 October 2009 11:47:51 Михаил Лукин wrote:
>
> > Next, we don't want 'edit' and 'change status' links to always appear on
> > task detail page, so we pass 'can_edit' and 'can_change_status' flags to
> > the template. But we never trust the browser, so in views 'task_edit'
> and
> > 'task_change_status' before displaying or processing the forms we check
> > AGAIN if requester has such permissions:
> >
>
> for the record, if you're talking about testing permissions with the django
> template language (i.e. {% ifequal user.permission 'can_edit' %} do
> something
> {% endifequal %}), this is still done server side. The only thing going to
> the client side is the actual html that the templating language is
> generating
> after evaluating the template language.
>
> >
> > What is your best practice in such situations?
> >
>
> I concur with a custom tag.
>
> Mike
> --
> Everyone's in a high place when you're on your knees.
>
--
regards,
Mihail
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to
django-users+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---
