Actually, I told about server-side form processing, not client-side. When client posts data, I always check permissions in a VIEW that receives it.
2009/10/20 Mike Ramirez <gufym...@gmail.com> > On Tuesday 20 October 2009 11:47:51 Михаил Лукин wrote: > > > Next, we don't want 'edit' and 'change status' links to always appear on > > task detail page, so we pass 'can_edit' and 'can_change_status' flags to > > the template. But we never trust the browser, so in views 'task_edit' > and > > 'task_change_status' before displaying or processing the forms we check > > AGAIN if requester has such permissions: > > > > for the record, if you're talking about testing permissions with the django > template language (i.e. {% ifequal user.permission 'can_edit' %} do > something > {% endifequal %}), this is still done server side. The only thing going to > the client side is the actual html that the templating language is > generating > after evaluating the template language. > > > > > What is your best practice in such situations? > > > > I concur with a custom tag. > > Mike > -- > Everyone's in a high place when you're on your knees. > -- regards, Mihail --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---