Opened 4 years ago

Closed 4 years ago

#31438 closed Bug (invalid)

Current user in form.

Reported by: marc-dms Owned by: nobody
Component: Documentation Version: 3.0
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Hi,

Thanks for your contributions. On one hand, the following suggestion from https://docs.djangoproject.com/en/3.0/topics/class-based-views/generic-editing/ to store the current user in a form impairs form level validation such as unique-together.

form.instance.created_by = self.request.user

On the other hand hiding the field and using the following code exposes the id and opens a backdoor to malicious code that would modify the hidden field.

def get_initial(self): return { 'created_by': self.request.user }

Could the doc rather suggest a solution that would solve both issues?

Best,

-- M

Change History (1)

comment:1 by Mariusz Felisiak, 4 years ago

Resolution: invalid
Status: newclosed
Summary: Current user in formCurrent user in form.

On the other hand hiding the field and using the following code exposes the id and opens a backdoor to malicious code that would modify the hidden field.

def get_initial(self): return { 'created_by': self.request.user }

Could the doc rather suggest a solution that would solve both issues?

I don't see such recommendation anywhere in the docs. Moreover you cannot add a hidden field if an user ID is sensitive for you. It's a support question and Trac is not a support channel.

Closing per TicketClosingReasons/UseSupportChannels.

Note: See TracTickets for help on using tickets.
Back to Top