On 02/19/2015 04:03 PM, Chen Xu wrote: > what if I have two addresses, id is 1 and 2, and I want to update 2, how > I should distinguish 2 from 1, I mean, if I have addressid in the form, > and someone modify it from 2 to 1, and that will update 1, right? How to > prevent this?
Your server-side code must handle all security-related validation, and must assume that no data sent from the client can be trusted. So in this case you describe, your server-side code must have some way to know which address(es) the currently logged-in user has the authority to edit. Usually in this type of case I would make the address ID being edited a part of the URL, not a form parameter (because it's used to query the instance being edited by the ModelForm), and I would perform the access check at the very top of the view function, often returning a 404 if the user should not have access to that address. If for some reason the address ID must be in the form rather than a URL parameter, you could pass `request.user` to the form and have the form validation check that that user is permitted to edit the given address ID. Carl -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/54E66EC8.70808%40oddbird.net. For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: OpenPGP digital signature
