Code


Version 3 (modified by L.Plant.98@…, 9 years ago) (diff)

security related improvement

CookBook - Manipulator With Hidden Fields

Description

I needed to present a form to allow a user to create a new object. However, some fields in the object were already known by the system (such as the user who was adding the object). Rather than presenting these fields to the user, I created a custom manipulator that allowed me to hide them. The example will be a user creating a new message.

Code

Here's a simple Message model as an example:

class Message(meta.Model):
    title = meta.CharField(maxlength=255)
    body = meta.TextField()
    postDate = meta.DateTimeField(auto_now_add=True)
    user = meta.ForeignKey(auth.User)

Here's the custom manipulator that allows us to hide the user and project fields. It inherits from the model's pre-made AddManipulator, the iterates over the fields replacing some of them with a formfields.HiddenField

class MessageManipulator(messages.AddManipulator):
    def __init__(self):
        # Set everything up initially using the built in manipulator
        messages.AddManipulator.__init__(self)
        newFields = []
        # Iterate over all the fields looking for the ones I want to hide,
        # and replacing them with HiddenFields
        for field in self.fields:
            if field.field_name in ('user',):
                field = formfields.HiddenField(field.field_name,
                                               field.is_required,
                                               field.validator_list)
            newFields.append(field)
        self.fields = newFields

Here's the view code:

def addMessage(request):
    manipulator = MessageManipulator()
    if request.POST:
        newData = request.POST.copy()
        errors = manipulator.get_validation_errors(newData)
        if not errors:
            manipulator.do_html2python(newData)
            newMessage = manipulator.save(newData)
            return HttpResponseRedirect(newMessage.get_absolute_url())
    else:
        errors = {}
        # Add the the data that you already know and don't want to burden
        # the user with here.
        newData = {'user': request.user.id,}
    form = formfields.FormWrapper(manipulator, newData, errors)
    t = template_loader.get_template('addMessage')
    c = Context(request, {'form': form,})
    return HttpResponse(t.render(c))

Here's part of the template code. {{ form.user_id }} places the hidden field in the form. It will be populated with the correct data because we set that in newData above. Title and Body are other fields defined in the Message model. messages.AddManipulator took care of populating those correctly.

<form method="post" action=".">
{{ form.user }}
<p>
    <label for="id_title">Title:</label> {{ form.title }}
    {% if form.title.errors %}*** {{ form.title.errors|join:", " }}{% endif %}
</p>
<p>
    <label for="id_body">Body:</label> {{ form.body }}
    {% if form.body.errors %}*** {{ form.body.errors|join:", " }}{% endif %}
</p>

And the HTML generated from this template:

<form method="post" action=".">
<input type="hidden" id="id_user" name="user" value="2" />
<p>
    <label for="id_title">Title:</label> <input type="text" id="id_title"
class="vTextField required" name="title" size="30" value="" maxlength="255" />
</p>
<p>
    <label for="id_body">Body:</label> <textarea id="id_body"
class="vLargeTextField required" name="body" rows="10" cols="40"></textarea>
</p>

Enjoy!

This is totally insecure, n'est-ce pas? A user can fiddle with hidden form fields - in fact, if you get the developer extensions for Mozilla Firefox, it's very easy to do. In this case you could then spoof the user doing the post. A better solution would be as above, but instead of pre-populating data into newData, you override the manipulator constructor to allow it to take parameters which you want to fix (such as the user), which it stores for later use. Then you override its save() method, which enforces those stored values (e.g. by changing the copy of the posted back data) and then calls the base save() method. (I haven't tried this, but I can't see a problem)