On Tue, Jun 12, 2012 at 11:43 PM, Karen Tracey <[email protected]> wrote:
> On Tue, Jun 12, 2012 at 10:10 PM, Alex Ogier <[email protected]> wrote:
>>
>> No one can sneak extra unexpected fields past a developer by editing HTML
>> client side, because if the field wasn't rendered to HTML it's not
>> going to validate.
>
>
> But it may. If you have a template which renders specific fields, and yet
> the form is set to allow a wider set of fields than are actually rendered,
> client-side editing CAN result in the form allowing change to a field that
> had not been rendered in the template. The Django ModelForm doesn't know
> what fields were actually rendered in the HTML, it only knows what fields
> have been included/excluded from the ModelForm. You can post data for a
> field that was not rendered and it may pass validation and get saved.
>
> Karen
>
Oof, you are right. I hadn't considered the wrench that templating
throws into the works. I've always done {% for field in form.fields %}
myself, but that's a bad assumption to make.
Best,
Alex Ogier
--
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-developers?hl=en.
