Wouldn't this be a *huge* security hole? Sure I can pass the user info in the extra_context, but that means that someone could build a new page (client-side) with any arbitrary value set in that hidden variable.
I just found a question on stackoverflow (http://stackoverflow.com/ questions/639792/setting-object-owner-with-generic-createobject-view- in-django named "Setting object owner with generic create_object view in django"), with exactly my problem. One of the solution is the one you give, but I'm pretty sure it's a security hole. Another proposed solution is to use "class-based" generic views, but I couldn't find enough example to understand how to use it. Any idea? On May 11, 7:42 pm, George Song <geo...@damacy.net> wrote: > On 5/11/2009 4:04 AM,Liorwrote: > > > Hello, > > I'm using generic views to manage a model. In that model, when I > > create an instance (and not when I update it), I need to set one of > > its attribute (owner) to the currently logged in user value. I'd like > > to continue using generic views, so can I do this without creating a > > view? Is that possible? > > The only solution, so far would be to create a new view (and in that > > view do all what the generic view do, that is testing form fields, > > etc.), and set my attribute from the request.user variable. But I > > don't see how to keep the generic view usage in url.py. > > > Any other way ? > > You can easily use the generic view in your own view. It's a pretty > common pattern in Django. > > In this case, you probably just want to pass the user as a extra context > variable to be rendered as a hidden for your form. > > -- > George --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
