id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
31438	Current user in form.	marc-dms	nobody	"Hi,

Thanks for your contributions. On one hand, the following suggestion from [https://docs.djangoproject.com/en/3.0/topics/class-based-views/generic-editing/] to store the current user in a form **impairs form level validation such as unique-together**.
{{{
form.instance.created_by = self.request.user
}}}

On the other hand hiding the field and using the following code **exposes the id and opens a backdoor to malicious code that would modify the hidden field**.
{{{
def get_initial(self): return { 'created_by': self.request.user }
}}}

Could the doc rather suggest a solution that would solve both issues?

Best,

-- M"	Bug	closed	Documentation	3.0	Normal	invalid			Unreviewed	0	0	0	0	0	0