#30702: Form leaks all objects of model
               Reporter:  Kevin      |          Owner:  nobody
  Olbrich                            |
                   Type:  Bug        |         Status:  new
              Component:  Forms      |        Version:  2.2
               Severity:  Normal     |       Keywords:  form, forms,
           Triage Stage:             |  queryset
  Unreviewed                         |      Has patch:  0
    Needs documentation:  0          |    Needs tests:  0
Patch needs improvement:  0          |  Easy pickings:  0
                  UI/UX:  0          |

 During development I had to filter the possible values in my form based on
 the logged in user:

 class DomainRegisterForm(UserKwargModelFormMixin, forms.Form):
     domain = forms.CharField(label='Domain', max_length=100)
     customer =

     def __init__(self, *args, **kwargs):
         super(DomainRegisterForm, self).__init__(*args, **kwargs)
         self.fields['customer'].queryset =

 UserKwargModelFormMixin is from django-braces and simply does pull the
 user from the request:

 class UserKwargModelFormMixin(object):
     Generic model form mixin for popping user out of the kwargs and
     attaching it to the instance.

     This mixin must precede forms.ModelForm/forms.Form. The form is not
     expecting these kwargs to be passed in, so they must be popped off
     anything else is done.
     def __init__(self, *args, **kwargs):
         self.user = kwargs.pop("user", None)  # Pop the user off the
                                               # passed in kwargs.
         super(UserKwargModelFormMixin, self).__init__(*args, **kwargs)


 The values are shown correctly on first load of the form. I can choose the
 value and send it.

 I've met two issues with this:
 1) After submit of the form, I get an "invalid_choice" error. The value
 I'd chosen is then filtered from the queryset even if it was valid.
 2) The queryset is not filtered anymore, it shows ALL values (like:
 MdatCustomers.objects.all() ).

 As I use this to give a user access to multiple companies, I absolutely
 don't want them to browse all ;-)

 I did some research in the code but was unable to spot where this happens.

 Kind regards

Ticket URL: <https://code.djangoproject.com/ticket/30702>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 

Reply via email to