On Tuesday, October 30, 2012 7:09:05 AM UTC-7, JirkaV wrote: > On the UI side, you can set the "readonly" property on form fields. > This will prevent the field from being edited in a browser (I think so > - done that only once on a small internal project). >
Thanks -- I probably should have elaborated a bit more to say what I'm looking for (that may not exist) is a way of not having to do a user check on every single field and set the readonly flag individually, particularly since (at least based on my knowledge thus far) that gets messy given that we're using ModelForm and trying to render the fields with a simple template tag as much as possible. I haven't looked into whether or not that could be conditionally added as an attribute in the ModelForm, but that was another thought that crossed my mind. > > However, we warned - if *some* of your users can edit and submit the > form, you should also introduce server-side check testing if user is > allowed to edit fields. Making form fields read only won't prevent > anyone from actually submitting changed data (as it's just a > client-side control which can be easily worked around) > Right, definitely will be doing this as well. Mostly the readonly state on the form is a visual/styling thing and also simply so there's no perception that people can edit things when they can't. Very good point to bring up though, and we'll definitely be checking again on the server side since as others have pointed out people can manipulate the DOM if they really want to wreak havoc. Thankfully this is an internal app which mitigates some of the danger, and certainly if this was a public app I would have fought a lot harder to not have a non-editable form be the way people view records. Thanks! -- You received this message because you are subscribed to the Google Groups "Django users" group. To view this discussion on the web visit https://groups.google.com/d/msg/django-users/-/KicUDqaZrwYJ. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
