Hi!
Thank you very much for this answer, but that's not what I'm talking about.
I know that you must include the management form in the template, that's
not the problem.
I worry about a malicious user (i.e., a hacker) that would purposely temper
the management form in order to raise an exception on the server.
For example, he could write a loop can call "curl -X POST" repeatedly,
which would flood the admins with "Internal Server Error" emails.
This is possible because BaseFormSet.is_valid() raises an exception when it
should return False as a regular form.
Best Regards,
Benoit
On Fri, Nov 1, 2019 at 12:49 PM Nijo Joseph <nijojose...@gmail.com> wrote:
> Hi,
> In case of <form method="post">
>
> <table>
> {{ formset }}
> </table></form>
>
> no probs. but in case of
>
> <form method="post">* {{ formset.management_form }}*
> <table>
> {% for form in formset %}
> {{ form }}
> {% endfor %}
> </table></form>
>
>
> * {{ formset.management_form }} is required and of course * {%
> csrf_token %}. Ref
> https://docs.djangoproject.com/en/2.2/topics/forms/formsets/
>
>
> On Tuesday, October 29, 2019 at 5:41:16 PM UTC+5:30, Benoit Blanchon wrote:
>>
>> Hi,
>>
>> From what I understand, Form.is_valid() must return False when the form
>> is invalid or incomplete.
>>
>> BaseFormSet, however, raises a ValidationError with the message
>> "ManagementForm data is missing or has been tampered with," when the
>> management form has been tampered.
>>
>> I think this is incorrect: BaseFormSet.is_valid() should catch this
>> exception and return False; otherwise, it allows a malicious user to cause
>> an error 500 by tampering the management form.
>>
>> Best regards,
>> Benoit Blanchon
>> (Django version: 2.2.6)
>>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Django users" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/django-users/iR25bNRQA7w/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> django-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/c78a89fd-b44b-4863-aee7-33646bf5114e%40googlegroups.com
> <https://groups.google.com/d/msgid/django-users/c78a89fd-b44b-4863-aee7-33646bf5114e%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/CAOafuFxuXfESN21QYmknMxfyfvV3kJO4rd3a2%2B-h6n6tT7JQ4Q%40mail.gmail.com.
