Changes between Initial Version and Version 1 of CookBookManipulatorWithPostpopulatedFields


Ignore:
Timestamp:
Sep 16, 2005, 4:55:29 PM (19 years ago)
Author:
hugo <gb@…>
Comment:

first take at a skeleton for update view with only a subset of fields

Legend:

Unmodified
Added
Removed
Modified
  • CookBookManipulatorWithPostpopulatedFields

    v1 v1  
     1If your template should only edit part of an object because some fields are not to be changed by the user, you can use the following view-function-template to do the job. It just populates those fields that are left out of the template and the form and fills in there values from known content. Especially it overwrites fields in the new_data with known values so that users can't just fake POST requests to populate left-out fields.
     2
     3The code is stolen from my gallery project - there you have a picturefolder that has a path and a slug that point to the filesystem and a user_id that denotes the owner (actually it's a ForeignKey to the auth.users model). So users should never be able to change the owner or change the filesystem path (otherwise they might be able to fetch files from security relevant parts of the filesystem). The following code prevents changing those fields by overwriting them in the POST data with data from the original object. That way even faked POST requests won't get access to those attributes.
     4
     5{{{
     6#!python
     7def update_folder(request, folder):
     8  # this just resolves a object from it's slug - you will most definitely
     9  # need to change this to your own model
     10  try: f = picturefolders.get_object(slug__exact=folder)
     11  except picturefolders.PicturefolderDoesNotExist: raise Http404
     12
     13  # now just fetch a standard change manipulator for that object
     14  manipulator = picturefolders.ChangeManipulator(f.id)
     15  if request.POST:
     16    new_data = request.POST.copy()
     17
     18    # here I am filling in fields from the fetched object
     19    # to make sure that the user can't pass in security relevant
     20    # data. Make sure that you turn your values into strings,
     21    # as that's expected by the later html2python call.
     22    new_data['path'] = f.path
     23    new_data['slug'] = f.slug
     24    new_data['user'] = str(f.user_id)
     25
     26    # the rest of this is pretty standard as we now have a
     27    # fully populated POST data dict
     28    errors = manipulator.get_validation_errors(new_data)
     29    if not errors:
     30      manipulator.do_html2python(new_data)
     31      manipulator.save(new_data)
     32      return HttpResponseRedirect(request.path)
     33    else:
     34      new_data = f.__dict__
     35      errors = {}
     36    form = formfields.FormWrapper(manipulator, new_data, errors)
     37    t = template_loader.get_template('picturefolder_form')
     38    c = Context(request, {
     39      'form': form,
     40      'folder': f,
     41    })
     42    return HttpResponse(t.render(c), mimetype='text/html; charset=utf-8')
     43  else:
     44    raise Http404
     45}}}
Back to Top