Re: Django formset hidden id field

Hi Rob, On 05/03/2016 12:13 PM, Rob Ladd wrote: > Carl Meyer said: > > "Whatever queryset you pass to the model formset limits the > available rows for editing. The end user can edit the PK to refer to any > item in that queryset, but not any item in the table. " > > That's not true, based on

Re: Django formset hidden id field

Carl Meyer said: "Whatever queryset you pass to the model formset limits the available rows for editing. The end user can edit the PK to refer to any item in that queryset, but not any item in the table. " That's not true, based on my observation. As long as the PK refers to any object of

Re: Django formset hidden id field

Hi Peter, On 07/04/2015 12:42 AM, Peter of the Norse wrote: >> On Jul 2, 2015, at 7:46 PM, Carl Meyer wrote: >> >>> So what? It’s quite likely that whoever is editing this row of >>> the database, also has permissions to edit the other rows as >>> well. There’s no reason for

Re: Django formset hidden id field

On Sat, Jul 4, 2015 at 1:42 AM, Peter of the Norse wrote: > You can’t have it both ways. Either exposing the PK is a security flaw or it > isn’t. It’s just as easy for nefarious n’er-do-wells to edit the form’s URL > as a hidden field. In either case, if you are using

Re: Django formset hidden id field

> On Jul 2, 2015, at 7:46 PM, Carl Meyer wrote: > >> So what? It’s quite likely that whoever is editing this row of the >> database, also has permissions to edit the other rows as well. There’s >> no reason for them to go through the hassle of manually editing a hidden >>

Re: Django formset hidden id field

On 06/28/2015 03:00 PM, Peter of the Norse wrote: > On May 27, 2015, at 7:47 AM, Cheng Guo > wrote: >> >> Hello, >> >> I have a formset and when I render it, Django would include this line >> in the HTML: >> >> || >> >> I am curious what is the

Re: Django formset hidden id field

On May 27, 2015, at 7:47 AM, Cheng Guo wrote: > > Hello, > > I have a formset and when I render it, Django would include this line in the > HTML: > > > I am curious what is the purpose of having an id field here. > > I mean in what situation would you use it. I did

Re: Django formset hidden id field

Mmm I am not sure of this but I guest that this number is not a primary key (pk start in 1 not in 0 in postgres and mysql), it is a formset control number used by formset for group fields in the server side ( for create forms in correct order also) El miércoles, 27 de mayo de 2015, Matthias

Re: Django formset hidden id field

> > Just in general, is it a good idea to expose primary keys like this? > sometimes you can see them in urls too, like: www.yoursite/blog/1/, 1 > would be the primary key of a blog. It's an easy way to refer to an object. Unless there is a secure connection it's this is IMHO the best way to

Re: Django formset hidden id field

Thank you! Yes, I forgot about the csrf. You are right, it would be difficult to fake the CSRF string. Just in general, is it a good idea to expose primary keys like this? sometimes you can see them in urls too, like: www.yoursite/blog/1/, 1 would be the primary key of a blog. On Wednesday,

Re: Django formset hidden id field

Without looking at the link I guess that you explantion is more or less correct. But it's not a security issue that the database is updated by a form. It has to be updated by a form. To make it a correct django form there is a hidden field with the CSRF token. This protects the database being

Django formset hidden id field

Hello, I have a formset and when I render it, Django would include this line in the HTML: I am curious what is the purpose of having an id field here. I mean in what situation would you use it. I did look through Django's documentation on formset