By default, the formname for an update form includes the record ID, which
yields a unique formname for each record. The formname is the key used to
store the CSRF token in the session, so if you create a form with one name
but submit a form with a different name, the CSRF tokens won't match.
The question is, what are you trying to do? What should the user experience
look like on the page? Do you have a list of records and then a single
update form? If so, how does a user update a specific record -- do they
click on a button and then Javascript copies the record values into the
form (including copying the record ID into the hidden "id" field)? In that
case, you could do something like this:
form = SQLFORM(db.mytable, showid=False,
record=request.post_vars.id,
hidden=dict(id=0)).process(formname='update_form')
The above will load an empty form on the page with a hidden "id" field
(with the value initiated to 0, though that is arbitrary). Assuming you use
Javascript to populate the form fields and set the "id" field to the
appropriate value, upon submission, this should update the record with the
submitted "id". Because the formname is a fixed string and does not change
depending on the record ID, the CSRF token will match regardless of which
record is submitted.
Note, the above will allow the user to submit an update for any record ID
(not just those shown on the page). To guard against that, you will need to
add some code to confirm the update of the particular record is allowed.
As an alternative, you might consider loading an update form via Ajax
(using a web2py Ajax component). Then you can just use a standard update
form.
Anthony
On Tuesday, September 15, 2015 at 7:47:15 PM UTC-4, Alfonso Serra wrote:
>
> It looks like what i was missing is that the SQLFORM will perform an
> insert or update depending on *its form name*, it wont matter if i
> explicit set a record id when before its processed.
>
> If the submmited form name is mytable/create it will perform an insert,
> but i was passing an id that existed with the hope that it was smart enough
> to know i wanted an update.
>
> The problem with this is to render a writable table, each row needs a form
> with a name like "mytable/record_id" to perform updates. And at the
> controller create as many forms as rows in the table to process only the
> one it was submitted. This isnt optimal when you only want to process a
> single post. So what's left would be to trick sqlform name before its
> processed. Ill keep reading the book but this looks like a really odd way
> to distinguish between inserts and multiple updates.
>
>
>
>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
