Code

Changes between Version 2 and Version 3 of CookBookManipulatorWithPostpopulatedFields


Ignore:
Timestamp:
06/30/06 08:18:32 (8 years ago)
Author:
akaihola
Comment:

added link to google groups discussion

Legend:

Unmodified
Added
Removed
Modified
  • CookBookManipulatorWithPostpopulatedFields

    v2 v3  
    66 
    77The code is stolen from my gallery project - there you have a picturefolder that has a path and a slug that point to the filesystem and a user_id that denotes the owner (actually it's a ForeignKey to the auth.users model). So users should never be able to change the owner or change the filesystem path (otherwise they might be able to fetch files from security relevant parts of the filesystem). The following code prevents changing those fields by overwriting them in the POST data with data from the original object. That way even faked POST requests won't get access to those attributes. 
     8 
     9Note: see also [http://groups.google.com/group/django-developers/browse_frm/thread/3a20d1a776ff6fc4/d4b4b6026d410e88 this discussion] for a different approach using an undocumented Django feature. 
    810 
    911== Code ==