Thanks for the advice. I want to make sure it's secure. What's the best way to override the save I posted in the code above without causing issues?
On Feb 25, 2:10 am, Bernhard Schandl <bernhard.scha...@gmail.com> wrote: > Hi, > > > I tried that before your answer arrived and it worked like a charm. I > > just excluded the author field from the form and kept everything else > > the same. It works perfectly, as the user was already passed to the > > author field in the view. A logged in user can now automatically post > > a story now through the form and it appears under their username. > > > So simple. I asked elsewhere and received extremely convoluted answers > > that caused more confusion and chaos rather than comfort. > > > Thank you for reaffirming. Although, I didn't have to override the > > form (new_story.save()) to make it work. I should probably just leave > > it alone and enjoy the functionality! > > You should only check that, although the user field now does not appear in > the form, the user cannot override the user field by changing the POST > request that is sent to your server after submitting. So it's definitively > safer to explicitly override the user field in your model on save(), instead > of relying on a pre-filled field. > > best > Bernhard -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
