Django

Code

Ticket #6967 (closed: fixed)

Opened 8 months ago

Last modified 3 months ago

ModelForms doesn't validate CHOICES

Reported by: johannes.spielmann@student.uni-tuebingen.de Assigned to: jacob
Milestone: 1.0 Component: Forms
Version: SVN Keywords:
Cc: simon@simonwillison.net, carl@dirtcircle.com, ville@unessa.net, pat.j.anderson@gmail.com, web@vtk.ugent.be Triage Stage: Accepted
Has patch: 1 Needs documentation: 0
Needs tests: 0 Patch needs improvement: 0

Description

A ModelForm? with a CharField?, that has CHOICES set, presents to the user only the specified CHOICES. But it does not _validate_ against the CHOICES, which allows a crafted response to write arbitrary values to the field.

Attachments

choices-fix.patch (0.6 kB) - added by Simon Willison on 04/07/08 08:28:09.
6967-tests.diff (1.4 kB) - added by mattmcc on 08/31/08 06:59:55.
Some tests for choices on CharField? and IntegerField?.
6967-r8772-tests.diff (0.6 kB) - added by mattmcc on 08/31/08 20:59:10.
New failing test

Change History

04/07/08 08:28:09 changed by Simon Willison

  • attachment choices-fix.patch added.

04/07/08 08:28:32 changed by Simon Willison

  • needs_better_patch changed.
  • needs_tests changed.
  • needs_docs changed.

Attached patch appears to fix this, but needs tests.

04/09/08 03:45:21 changed by anonymous

  • cc set to simon@simonwillison.net.

06/11/08 02:52:03 changed by edgarsj

  • stage changed from Unreviewed to Accepted.

08/31/08 05:46:44 changed by mattmcc

  • milestone set to 1.0.

08/31/08 06:59:55 changed by mattmcc

  • attachment 6967-tests.diff added.

Some tests for choices on CharField? and IntegerField?.

08/31/08 13:27:55 changed by jacob

  • owner changed from nobody to jacob.
  • status changed from new to assigned.

08/31/08 15:10:53 changed by jacob

(In [8771]) Added a TypedChoiceField which acts just like ChoiceField, except that it returns a value coerced by some provided function. Refs #6967.

08/31/08 15:11:13 changed by jacob

  • status changed from assigned to closed.
  • resolution set to fixed.

(In [8772]) Fixed #6967: ModelForms now validate choices. Thanks, mattmcc -- the failing test helped quite a bit.

08/31/08 20:58:38 changed by mattmcc

  • status changed from closed to reopened.
  • resolution deleted.

The test was insufficient, unfortunately. Field.formfield is going to need to cope with other model field types that set arbitrary arguments in their defaults dict which would make sense for the form field they expect to use, but won't make sense to TypedChoiceField?. The only built-in examples of this are PositiveIntegerField? and PositiveSmallIntegerField?, which pass a min_value argument.

We could pop off min_value as max_length is being popped now, but it's just fixing the symptom. A custom model field could set anything.

08/31/08 20:59:10 changed by mattmcc

  • attachment 6967-r8772-tests.diff added.

New failing test

09/01/08 00:23:56 changed by SmileyChris

I fell across this just now too. For now I just changed my local copy of the pop() line to:

kwargs = kwargs.get('choices_kwargs', {})

Still not the nicest solution, but it isn't as bad as the current one.

09/01/08 02:29:35 changed by akaihola

  • has_patch set to 1.

09/01/08 03:54:53 changed by carljm

  • cc changed from simon@simonwillison.net to simon@simonwillison.net, carl@dirtcircle.com.

09/01/08 04:17:36 changed by ubernostrum

#8744 was a duplicate.

09/01/08 04:45:02 changed by Uninen

  • cc changed from simon@simonwillison.net, carl@dirtcircle.com to simon@simonwillison.net, carl@dirtcircle.com, ville@unessa.net.

09/01/08 12:39:29 changed by anonymous

  • cc changed from simon@simonwillison.net, carl@dirtcircle.com, ville@unessa.net to simon@simonwillison.net, carl@dirtcircle.com, ville@unessa.net, pat.j.anderson@gmail.com.

09/01/08 13:47:24 changed by anonymous

  • cc changed from simon@simonwillison.net, carl@dirtcircle.com, ville@unessa.net, pat.j.anderson@gmail.com to simon@simonwillison.net, carl@dirtcircle.com, ville@unessa.net, pat.j.anderson@gmail.com, web@vtk.ugent.be.

09/01/08 14:10:48 changed by jacob

BTW, in the future please open a new ticket for things of this nature.

09/01/08 14:20:06 changed by jacob

  • status changed from reopened to closed.
  • resolution set to fixed.

(In [8806]) Repaired an oversight from [8772] that let made certain types of fields with choices fail. Fixes #6967 again.

Add/Change #6967 (ModelForms doesn't validate CHOICES)




Change Properties
Action