#30702: Form leaks all objects of model
-------------------------------------+-------------------------------------
Reporter: Kevin | Owner: nobody
Olbrich |
Type: Bug | Status: new
Component: Forms | Version: 2.2
Severity: Normal | Keywords: form, forms,
Triage Stage: | queryset
Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
Hi!
During development I had to filter the possible values in my form based on
the logged in user:
{{{
class DomainRegisterForm(UserKwargModelFormMixin, forms.Form):
domain = forms.CharField(label='Domain', max_length=100)
customer =
forms.ModelChoiceField(queryset=MdatCustomers.objects.none())
def __init__(self, *args, **kwargs):
super(DomainRegisterForm, self).__init__(*args, **kwargs)
self.fields['customer'].queryset =
MdatCustomers.objects.filter(mdatmultitenancyusers__user=self.user)
}}}
UserKwargModelFormMixin is from django-braces and simply does pull the
user from the request:
{{{
class UserKwargModelFormMixin(object):
"""
Generic model form mixin for popping user out of the kwargs and
attaching it to the instance.
This mixin must precede forms.ModelForm/forms.Form. The form is not
expecting these kwargs to be passed in, so they must be popped off
before
anything else is done.
"""
def __init__(self, *args, **kwargs):
self.user = kwargs.pop("user", None) # Pop the user off the
# passed in kwargs.
super(UserKwargModelFormMixin, self).__init__(*args, **kwargs)
}}}
The values are shown correctly on first load of the form. I can choose the
value and send it.
I've met two issues with this:
1) After submit of the form, I get an "invalid_choice" error. The value
I'd chosen is then filtered from the queryset even if it was valid.
2) The queryset is not filtered anymore, it shows ALL values (like:
MdatCustomers.objects.all() ).
As I use this to give a user access to multiple companies, I absolutely
don't want them to browse all ;-)
I did some research in the code but was unable to spot where this happens.
Kind regards
Kevin
--
Ticket URL: <https://code.djangoproject.com/ticket/30702>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/056.c0ab06e9e77c5a59bf106465a0d4aa95%40djangoproject.com.
