On Tue, Jun 12, 2012 at 10:10 PM, Alex Ogier <[email protected]> wrote:
> No one can sneak extra unexpected fields past a developer by editing HTML > client side, because if the field wasn't rendered to HTML it's not > going to validate. > But it may. If you have a template which renders specific fields, and yet the form is set to allow a wider set of fields than are actually rendered, client-side editing CAN result in the form allowing change to a field that had not been rendered in the template. The Django ModelForm doesn't know what fields were actually rendered in the HTML, it only knows what fields have been included/excluded from the ModelForm. You can post data for a field that was not rendered and it may pass validation and get saved. Karen -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
