Re: Initializing a ModelForm don't work - BUG ?
On Mar 29, 12:24 pm, bruno desthuilliers wrote: > On 29 mar, 09:12, Thierry Chich wrote: > > > Le lundi 29 mars 2010 02:14:34, pjrhar...@gmail.com a écrit :> > OK. I can > > also put an hidden field in my form. I will evaluate what is > > > > the better option for me. > > > > Bear in mind if you exclude it from your form altogether there is > > > nothing to stop a malicious user setting it by modifying the post > > > data. > > > > Peter Yes, sorry, I rewrote this and left it making no sense! s/if/unless/! What I meant to say is unless you exclude it then someone can edit the post data. The only way to ensure no one fiddles with hidden fields is to add a hash that you then check, but that's probably not needed here, just exclude it since you don't need it in the form. Peter -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-us...@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Re: Initializing a ModelForm don't work - BUG ?
On 29 mar, 09:12, Thierry Chich wrote: > Le lundi 29 mars 2010 02:14:34, pjrhar...@gmail.com a écrit :> > OK. I can > also put an hidden field in my form. I will evaluate what is > > > the better option for me. > > > Bear in mind if you exclude it from your form altogether there is > > nothing to stop a malicious user setting it by modifying the post > > data. > > > Peter > > You would say : if i use an hidden form. If I exclude the field from my > ModelFrom, a corrupted POST can not have an effect. I just have to set the > field > value in the model, and it is done, isn't it ? Yeps, right. To summarize : if you don't want the user being able to set a field from a modelForm, then exclude it from the modelForm and set it on the instance. Using a hidden field will "kind of" work - if you don't care about security, that is !-) -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-us...@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Re: Initializing a ModelForm don't work - BUG ?
Le lundi 29 mars 2010 02:14:34, pjrhar...@gmail.com a écrit : > > OK. I can also put an hidden field in my form. I will evaluate what is > > the better option for me. > > Bear in mind if you exclude it from your form altogether there is > nothing to stop a malicious user setting it by modifying the post > data. > > Peter > You would say : if i use an hidden form. If I exclude the field from my ModelFrom, a corrupted POST can not have an effect. I just have to set the field value in the model, and it is done, isn't it ? Thierry -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-us...@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Re: Initializing a ModelForm don't work - BUG ?
> OK. I can also put an hidden field in my form. I will evaluate what is the > better option for me. Bear in mind if you exclude it from your form altogether there is nothing to stop a malicious user setting it by modifying the post data. Peter -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-us...@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Re: Initializing a ModelForm don't work - BUG ?
Le samedi 27 mars 2010 19:23:04, Daniel Roseman a écrit :
> On Mar 27, 4:34 pm, Thierry Chich wrote:
> > I think I get the point.
> >
> > If I write
> > obj=MyModel()
> > obj.domaine=request.session.get("domaine")
> > form=MyModelForm(instance=obj)
> > if form.is_valid():
> > form.save()
> >
> > It works (but I didn't populate my form)
> > So it seems that the data provided in data=request.POST are overwriting
> > my domaine field.
> > It is really curious, because request.POST doesn't contain any reference
> > to my field domaine
> >
> > It's look like a bug, isn't it ?
>
> No, this is expected and documented behaviour. If the POST doesn't
> contain a value for a particular model field, that field is set to
> blank. This is because an empty HTML field is not included in an POST,
> exactly as if the field wasn't on the form at all.
>
This make sense. It is obvously a good reason.
> If you don't want this to happen, exclude the domaine field from the
> form altogether via the modelform Meta 'fields' or 'exclude' tuples.
OK. I can also put an hidden field in my form. I will evaluate what is the
better option for me.
Thanks very much.
Thierry
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-us...@googlegroups.com.
To unsubscribe from this group, send email to
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en.
Re: Initializing a ModelForm don't work - BUG ?
On Mar 27, 4:34 pm, Thierry Chich wrote:
> I think I get the point.
>
> If I write
> obj=MyModel()
> obj.domaine=request.session.get("domaine")
> form=MyModelForm(instance=obj)
> if form.is_valid():
> form.save()
>
> It works (but I didn't populate my form)
> So it seems that the data provided in data=request.POST are overwriting my
> domaine field.
> It is really curious, because request.POST doesn't contain any reference to my
> field domaine
>
> It's look like a bug, isn't it ?
No, this is expected and documented behaviour. If the POST doesn't
contain a value for a particular model field, that field is set to
blank. This is because an empty HTML field is not included in an POST,
exactly as if the field wasn't on the form at all.
If you don't want this to happen, exclude the domaine field from the
form altogether via the modelform Meta 'fields' or 'exclude' tuples.
--
DR.
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-us...@googlegroups.com.
To unsubscribe from this group, send email to
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en.
Re: Initializing a ModelForm don't work - BUG ?
I think I get the point.
If I write
obj=MyModel()
obj.domaine=request.session.get("domaine")
form=MyModelForm(instance=obj)
if form.is_valid():
form.save()
It works (but I didn't populate my form)
So it seems that the data provided in data=request.POST are overwriting my
domaine field.
It is really curious, because request.POST doesn't contain any reference to my
field domaine
It's look like a bug, isn't it ?
Le samedi 27 mars 2010 15:54:53, Thierry Chich a écrit :
> Le samedi 27 mars 2010 14:39:40, Thierry Chich a écrit :
> > Hello all
> >
> > I have a problem to understand something. I could find some workaround
> > easily, but I don't want it. I want to understand.
> >
> > So this if the situation. I have a modelForm (MyModelForm) that is build
> > on a model (MyModel) with one field mandatory (domaine - and it is a
> > Foreignkey). I don't want to show it to the user. I want it set in the
> > program
> >
> > I wrote this code in my view:
> >
> > if request.method == 'POST'
> > obj=MyModel()
> > obj.domaine=request.session.get("domaine")
> > form=MyModelForm(request.POST,instance=obj)
> > if form.is_valid():
> >obj.save()
>
> Smal mistake: it is form.save(), but it doesn't change nothing about the
> problem. It never enter in this cond. form is not valid.
>
> > I was thinking that since obj already contain a 'domaine', it will not
> > complaining, but it is not the case. the form is considered as no valid
> > because of the domaine field. It is really disturbing for two reason:
> >
> > 1) with the debugger, I clearly see the domaine object in obj. I also see
> > a form.fieds.domaine that looks great.
> >
> > 2) In an other part, that work this time, I have something pretty
> > similar. I modified an obj already existant
>
> Forget this point. It doesn't work. i don't know why. A regression, I
> believe So the idea doesn't seems work at all. If somebody know why
> ...
>
> > if request.method == 'POST':
> > obj=get_object_or_404(MyModel,id=id)
> > form=MyModelForm(request.POST,instance=obj)
> > if form.is_valid():
> > form.save()
> >
> > If some of you have an idea, I would be thanksfull.
> >
> > Thierry
>
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-us...@googlegroups.com.
To unsubscribe from this group, send email to
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en.
Re: Initializing a ModelForm don't work
Le samedi 27 mars 2010 14:39:40, Thierry Chich a écrit :
> Hello all
>
> I have a problem to understand something. I could find some workaround
> easily, but I don't want it. I want to understand.
>
> So this if the situation. I have a modelForm (MyModelForm) that is build on
> a model (MyModel) with one field mandatory (domaine - and it is a
> Foreignkey). I don't want to show it to the user. I want it set in the
> program
>
> I wrote this code in my view:
>
> if request.method == 'POST'
> obj=MyModel()
> obj.domaine=request.session.get("domaine")
> form=MyModelForm(request.POST,instance=obj)
> if form.is_valid():
>obj.save()
Smal mistake: it is form.save(), but it doesn't change nothing about the
problem. It never enter in this cond. form is not valid.
>
> I was thinking that since obj already contain a 'domaine', it will not
> complaining, but it is not the case. the form is considered as no valid
> because of the domaine field. It is really disturbing for two reason:
>
> 1) with the debugger, I clearly see the domaine object in obj. I also see a
> form.fieds.domaine that looks great.
>
> 2) In an other part, that work this time, I have something pretty similar.
> I modified an obj already existant
>
Forget this point. It doesn't work. i don't know why. A regression, I
believe So the idea doesn't seems work at all. If somebody know why ...
> if request.method == 'POST':
> obj=get_object_or_404(MyModel,id=id)
> form=MyModelForm(request.POST,instance=obj)
> if form.is_valid():
> form.save()
>
> If some of you have an idea, I would be thanksfull.
>
> Thierry
>
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-us...@googlegroups.com.
To unsubscribe from this group, send email to
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en.
