#20084: Formsets should sign/verify max_num
------------------------+------------------------------------
Reporter: jacob | Owner: andrewsg
Type: Bug | Status: closed
Component: Forms | Version: 1.5
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
------------------------+------------------------------------
Changes (by Carl Meyer <carl@…>):
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"f9ab543720532400e8b0d490cdbe67ea09ae9c17"]:
{{{
#!CommitTicketReference repository=""
revision="f9ab543720532400e8b0d490cdbe67ea09ae9c17"
Fixed #20084 -- Provided option to validate formset max_num on server.
This is provided as a new "validate_max" formset_factory option defaulting
to
False, since the non-validating behavior of max_num is longstanding, and
there
is certainly code relying on it. (In fact, even the Django admin relies on
it
for the case where there are more existing inlines than the given
max_num). It
may be that at some point we want to deprecate validate_max=False and
eventually remove the option, but this commit takes no steps in that
direction.
This also fixes the DoS-prevention absolute_max enforcement so that it
causes a
form validation error rather than an IndexError, and ensures that
absolute_max
is always 1000 more than max_num, to prevent surprising changes in
behavior
with max_num close to absolute_max.
Lastly, this commit fixes the previous inconsistency between a regular
formset
and a model formset in the precedence of max_num and initial data.
Previously
in a regular formset, if the provided initial data was longer than
max_num, it
was truncated; in a model formset, all initial forms would be displayed
regardless of max_num. Now regular formsets are the same as model
formsets; all
initial forms are displayed, even if more than max_num. (But if
validate_max is
True, submitting these forms will result in a "too many forms" validation
error!) This combination of behaviors was chosen to keep the max_num
validation
simple and consistent, and avoid silent data loss due to truncation of
initial
data.
Thanks to Preston for discussion of the design choices.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/20084#comment:6>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
