This is what you'd do if you wanted to set is_superuser for a
manipulator and not use the 'hidden input' idea.
let's take your view from the point where you check if the for has been
posted:
manipulator = users.ChangeManipulator(user_id) # Let's get the
manipulator for a user
if request.POST:
new_data = request.POST.copy() # We get the data from the post dict
# At this point you can set the is_superuser value in new_data
new_data['is_superuser'] = user.is_superuser # Perserve the user's
is_superuser
errors = manipulator.get_validation_errors(new_data)
... etc ...
---
Now, that's a simple example, but you can set is_superuser to what ever
you want. I just set it to the user object's current value so that it
stays the same, when the manipulator saves the object.
---
Take note that, since the is_superuser is not a required field, iirc,
you don't have to set it in new_data if your intent leave the value the
same.
---
As a security side note (this is for everyone in the group and I'm just
thinking out loud) What if you have this code:
if request.POST:
new_data = request.POST.copy()
errors = manpulator.get_validation_errors()
if not errors:
manipulator.do_html2python(new_data)
manipulator.save(new_data)
Let's say you're just have a form that sets the Name of the user,
new_data = {'firstname' : 'Eric', 'lastname' : 'Moritz'}
if someone crafts a melicious form that has three fields, 'firstname',
'lastname', and 'is_superuser' where is_superuser is set to 'on', will
the manipulator ignorantly set the is_superuser field in the user
object?.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-users
-~----------~----~----~----~------~----~------~--~---
