ModelForms doesn't validate CHOICES

[johannes.spielmann@…]

A ModelForm with a CharField, that has CHOICES set, presents to the user only the specified CHOICES. But it does not _validate_ against the CHOICES, which allows a crafted response to write arbitrary values to the field.

[Simon Willison]

Attached patch appears to fix this, but needs tests.

[Matt McClanahan]

Some tests for choices on CharField and IntegerField.

[Jacob]

(In [8771]) Added a TypedChoiceField which acts just like ChoiceField, except that it
returns a value coerced by some provided function. Refs #6967.

[Jacob]

(In [8772]) Fixed #6967: ModelForms now validate choices. Thanks, mattmcc -- the failing test helped quite a bit.

[Matt McClanahan]

The test was insufficient, unfortunately. Field.formfield is going to need to cope with other model field types that set arbitrary arguments in their defaults dict which would make sense for the form field they expect to use, but won't make sense to TypedChoiceField. The only built-in examples of this are PositiveIntegerField and PositiveSmallIntegerField, which pass a min_value argument.

We could pop off min_value as max_length is being popped now, but it's just fixing the symptom. A custom model field could set anything.

[Matt McClanahan]

New failing test

[Chris Beaven]

I fell across this just now too. For now I just changed my local copy of the pop() line to:

kwargs = kwargs.get('choices_kwargs', {})

Still not the nicest solution, but it isn't as bad as the current one.

[James Bennett]

#8744 was a duplicate.

[Jacob]

BTW, in the future please open a new ticket for things of this nature.

[Jacob]

(In [8806]) Repaired an oversight from [8772] that let made certain types of fields with choices fail. Fixes #6967 again.

[Stavros Korokithakis]

I'm getting this bug as well (running latest trunk as of two minutes ago). Here is my traceback:

Validating models...
Unhandled exception in thread started by <function inner_run at 0x6aef70>
Traceback (most recent call last):
  File "/Library/Python/2.5/site-packages/django/core/management/commands/runserver.py", line 48, in inner_run
    self.validate(display_num_errors=True)
  File "/Library/Python/2.5/site-packages/django/core/management/base.py", line 249, in validate
    num_errors = get_validation_errors(s, app)
  File "/Library/Python/2.5/site-packages/django/core/management/validation.py", line 28, in get_validation_errors
    for (app_name, error) in get_app_errors().items():
  File "/Library/Python/2.5/site-packages/django/db/models/loading.py", line 131, in get_app_errors
    self._populate()
  File "/Library/Python/2.5/site-packages/django/db/models/loading.py", line 58, in _populate
    self.load_app(app_name, True)
  File "/Library/Python/2.5/site-packages/django/db/models/loading.py", line 74, in load_app
    models = import_module('.models', app_name)
  File "/Library/Python/2.5/site-packages/django/utils/importlib.py", line 35, in import_module
    __import__(name)
  File "/Users/stavros/Code/Django/head/main/models.py", line 215, in <module>
    class AdType(models.Model):
  File "/Users/stavros/Code/Django/head/main/models.py", line 221, in AdType
    price = models.DecimalField(_("price"), max_digits=6, decimal_places=2, min_value=0)
  File "/Library/Python/2.5/site-packages/django/db/models/fields/__init__.py", line 589, in __init__
    Field.__init__(self, verbose_name, name, **kwargs)
TypeError: __init__() got an unexpected keyword argument 'min_value'

I'm not sure what this means, but I can't launch my server.

[Stavros Korokithakis]

I'm sorry, disregard my post above. I shouldn't post bug reports while sleepless...

[Jacob]

Milestone 1.0 deleted