Changes between Initial Version and Version 1 of Ticket #20084, comment 4
- Timestamp:
- Mar 19, 2013, 6:48:35 PM (11 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #20084, comment 4
initial v1 2 2 > It looks like not only is max_num not trustworthy, but it's also not checked during form validation/cleaning at all. Nor is the default maximum of 1000. It only affects the output of the form and not the response. So, step one is to implement checking of max_num (as opposed to just total) and then to sign it so it's also trustworthy. 3 3 4 To be clear, ` `max_num`` is not checked during form validation/cleaning, but ``absolute_max`` (which is the higher value of 1000 or ``max_num``) is an absolute maximum for the number of forms created, during either form display or validation (see ``_construct_forms``).4 To be clear, `max_num` is not checked during form validation/cleaning, but `absolute_max` (which is the higher value of 1000 or `max_num`) is an absolute maximum for the number of forms created, during either form display or validation (see `_construct_forms`). 5 5 6 This doesn't change the conclusion, though - this ticket does require both signing ` `max_num`` so it can be trusted, and checking it during validation.6 This doesn't change the conclusion, though - this ticket does require both signing `max_num` so it can be trusted, and checking it during validation. 7 7 8 IIRC from when I looked into this earlier, there's currently some odd inconsistency in behavior between ` `BaseModelFormSet`` and ``BaseFormSet`` in terms of how ``max_num`` is handled, which hopefully can be resolved by the fix for this ticket.8 IIRC from when I looked into this earlier, there's currently some odd inconsistency in behavior between `BaseModelFormSet` and `BaseFormSet` in terms of how `max_num` is handled, which hopefully can be resolved by the fix for this ticket.