This is a major security hole. Just because a field is hidden doesn't
mean it cannot be changed. Use the request.user object for
authentication purposes. The authentication docs should give you an idea
what to do.
cyberco wrote:
> Max, I'm not sure I fully understand your reply. Currently I got things
> working by passing the user object to the template and returning its
> attribute values:
>
> ================
> <input type="hidden" name="is_superuser" id="id_is_superuser"
> value="{{user.is_superuser}}" />
> ================
>
> Is this a security hole?
>
>
> >
>
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-users
-~----------~----~----~----~------~----~------~--~---
