Re: Django and database user column update privileges

[Ken]

Cheers Karen.

I just wanted to make sure that all aspects of my question were
answered, so I separated the second problem into this thread.  Thanks
for your help.  (See other thread.)

Ken

On 5 Mar, 02:17, Karen Tracey  wrote:
> I answered your question in the other thread you had asking the exact same
> thing.
> Karen

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-us...@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Re: Django and database user column update privileges

[Karen Tracey]

I answered your question in the other thread you had asking the exact same
thing.
Karen

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-us...@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Django and database user column update privileges

[Ken]

Folks

I need to get my users to submit a form, the result of which is a an
update of one column of one row of my database table.  For security
reasons the Django database user only has privileges to update a
single column of this table (and select privs on the rest).

However, when I submit the form, I note that the database UPDATE
command that was received updated ALL columns except the primary key,
which was used in the WHERE clause.

Here is some very simple Form code (I'm new to Forms, so bear with
me...  Thanks for your help Shawn...)

class TcsDetectionListsForm(forms.Form):
name = forms.CharField()

def candidateWithForm(request):
detectionListRow = TcsDetectionLists.objects.get(pk=0)
if request.method == 'POST':
form = TcsDetectionListsForm(request.POST)
if form.is_valid(): # All validation rules pass
detectionListRow.name = form.cleaned_data['name']
detectionListRow.save()
else:
form = TcsDetectionListsForm(initial={'name':
detectionListRow.name })

Here's what happened in the database (from the DB log):

223592 QueryUPDATE `tcs_detection_lists` SET `name` = 'rubbish',
`description` = 'Bad Candidates' WHERE `tcs_detection_lists`.`id` = 0

We shouldn't be updating the 'description' column.

If my security settings were in place, the above query would fail,
because the Django DB user only has update access to the 'name' column
for this table.

The actual table that will be updated eventually has a much larger set
of columns, with lots of doubles & floats.  I really don't want to be
re-writing the entire row and I really don't want to have to resort to
raw SQL.  Any ideas (preferably with an example)?

Cheers,

Ken

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-us...@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.