On 14 kesä, 03:12, Doug Blank <[email protected]> wrote: > I, too, was thinking about this kind of solution. In fact, it came up > for me the other day because I had forgotten to exclude a field that I > did not have on the form, and so the value ended up getting wiped out > when I saved. So, perhaps a solution that prevented others from adding > fields could also be a solution that checked to make sure that the > form was editing all fields it should be.
I hadn't realized all fields present on the Python form but not in the HTML form will get overwritten to NULL... The above makes me a tad more "-" on the require fields always proposal. The problem is there only for forms used for model creation. If you use the form both for update and creation, you will soon enough see that something funny is going on as part of your fields are getting set to NULL on form.save(). So, to hit the problem the user would need to: 1. Have a ModelForm with no field restrictions in Python. 2. Render only part of the fields. 3. All non-rendered fields must be null/blank=True for the form to work at all. 4. Not use the form in update views. (there are of course corner cases - the model has "deleted" attribute which is usually null - you don't include that in the HTML form - the user can update the delete field and it doesn't show up in testing) This seems to be different from what Rails do: they have update_attributes which updates all model attributes present in the request, but lefts all others untouched. So, in Rails if you render only part of the fields in update view, then you will not get the non- included fields overwritten to NULL, which conveniently hides the problem that the fields are in fact editable through the request. To me it seems there is no similar attack vector against Django's implementation as there were against Rails. I hope my quick investigations are correct - double checking what Rails do and the four conditions above is suggested... - Anssi -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
