Re: [Django Code] #26: Admin validation errors cause FileUploadFields to be reset

Mon, 19 Feb 2007 07:44:57 -0800 

#26: Admin validation errors cause FileUploadFields to be reset
----------------------+-----------------------------------------------------
   Reporter:  adrian  |                Owner:  adrian                
     Status:  new     |            Component:  Admin interface       
    Version:          |           Resolution:                        
   Keywords:          |                Stage:  Design decision needed
  Has_patch:  0       |           Needs_docs:  0                     
Needs_tests:  0       |   Needs_better_patch:  0                     
----------------------+-----------------------------------------------------
Comment (by anonymous):

 You can't set a default `value` for `<input type="file">`, for security
 reasons.  See [http://www.cs.tut.fi/~jkorpela/forms/file.html some details
 here].  I believe that Javascript can be used to access the path
 information (and then store it in a hidden input), but that the `value`
 attribute of a file input is read-only, making this a one-way street.
 
 You could temporarily store the file and change the widget to "Select a
 file, or use <path-to-my-original-file-submission> again", but you run the
 risk of garbage collection issues:
  * Temporary files may not be destroyed if the user abandons the process
  * If a `cron` or `at` job is used to destroy the file, it is possible
 that the deletion will occur before the user resubmits, thus causing an
 awful UI bug of "I know I said you could use that file again, but I just
 lost it.  Sorry.  Tell me again."
 
 Furthermore, any client-facing apps that store temporary files for an
 indeterminate amount of time have a higher risk of attacks (someone can
 fill up your hard disk / partition by re-submitting a failed attempt over
 and over again).  Maybe something like `CachedFileUploadField` would
 provide this convenience without leaving existing `FileUploadField`s as
 vulnerable.

-- 
Ticket URL: <http://code.djangoproject.com/ticket/26#comment:3>
Django Code <http://code.djangoproject.com/>
The web framework for perfectionists with deadlines
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to