All is good.
I just wanted to make sure I was seeing the intended behavior.
On Sep 15, 9:30 am, Massimo Di Pierro <massimo.dipie...@gmail.com>
wrote:
> After reading this again and again... this is the intended behavior.
>
> form = SQLFORM(....,hidden=...) causes the hidden fields to be passed
> with the submission, no more, no less. form.accepts(...) is not
> intended to read the received hidden fields and move them into
> form.vars. The reason is security. hidden fields can be tampered with.
> So you have to do:
>
> form.vars.a = request.vars.a # this will move the hidden field a (if
> exists) into the form
> form = SQLFORM(..., hidden=dict(a='b'))
>
> In the future we may consider having digitally signed hidden fields.
>
> On Aug 30, 12:43 pm, Cliff <cjk...@gmail.com> wrote:
>
>
>
> > Hmmm.
>
> > I'm on 1.98.2.
>
> > This needs more investigation, but I can't do it today.
>
> > On Aug 30, 8:39 am, DenesL <denes1...@yahoo.ca> wrote:
>
> > > SQLFORM with hidden fields works fine in 1.98.2:
>
> > > # model
> > > db.define_table('dog',
> > > Field('name'),
> > > Field('age', 'integer')
> > > )
>
> > > # controller
> > > def newdog():
> > > form = SQLFORM(db.dog, fields=['name'], hidden={'age': 1})
> > > if form.accepts(request, session):
> > > response.flash = 'ok'
> > > elif form.errors:
> > > response.flash = 'not ok'
> > > return dict(form = form)
>
> > > Any new entry in the dog table will have the age field set to 1.
