On 06/13/2012 12:57 PM, Anssi Kääriäinen wrote:
> The point is the same form with the same fields can be used in
> multiple places. There is no need for dynamic addition and removal of
> fields in Python code. The dynamism is in which fields to display -
> not which fields the form contains. You render only field1, except for
> superusers you render field1 and field2. Thus, the fields = ('field1',
> 'field2') in the form's meta doesn't do the security restriction you
> want for this case - the place to do the restriction is in the form
> init call:
>
> if user is superuser:
> form = MyModelForm(request.POST, allowed_fields=('field1',
> 'field2'))
> else:
> form = MyModelForm(request.POST, allowed_fields=('field1',))
Ah, I see better what you're getting at now. I still think that using
the same form for two purposes in this way is an unusual case, and
probably not the best approach. I've never done it myself that I can
recall, I'd use two different ModelForm subclasses, probably one
subclassed from the other.
If someone is using the same ModelForm for both a superuser and a
regular user, I think it's pretty reasonable to expect them to realize
that that leads to some potential security issues, and do the
appropriate checks themselves.
IOW, unlike implicit Meta.fields, this doesn't seem to me like a case
where Django's defaults are actively leading them astray.
> Part of the problem is that it is easy to think that if you don't have
> the fields in the HTML form, then the user can't edit the fields.
Yes, this is really at the root of the whole issue. I don't see a good
way to address it directly - but we can address it indirectly by
ensuring developers have to think explicitly about which fields their
ModelForm is going to allow through.
Carl
--
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-developers?hl=en.
