> Take the field "xyzzy" for example (not its real name). It is a string
> field and it's not even needed on the form since i know its value from
> auth.user. So I left it off the form thinking I could populate it either
> before or after displaying the form. Well, I can't set its default before
> generating the form, because I didn't include it in the form itself, ergo,
> no place for the default value.
>
If you know the value at time of submission, you can set the default value
for the field in the club_edit table:
if form.validate():
db.club_edit.xyzzy = auth.user.xyzzy # do this before the insert into
db.club_edit
Now, when you make the insert into db.club_edit, the xyzzy field will get
the auth.user.xyzzy value.
No problemo, I thought, I'll just check for request.post_vars before the
> form is validated, and stuff the values in there ahead of validation.
> Nope. Apparently I can't do that because again the form doesn't have the
> field so the validate logic never sees it.
>
No, but you can put it into form.vars *after* validation:
if form.validate():
form.vars.xyzzy = auth.user.xyzzy
Aha! I've got it! I'll include the var name as a "hidden" var on the
> form. It will show up in the fields as hidden, ride along to the browser,
> get returned with my value and all will be well. Right? Bzzzzt! Thanks
> for playing, but no. The hidden form won't fool the validator into
> accepting the form.
>
>From the book:
form.accepts(...) is not intended to read the received hidden fields and
move them into form.vars. The reason is security. hidden fields can be
tampered with.
So, the hidden field will be in request.post_vars (and request.vars), but
form.validate() will not move it into form.vars -- you have to do that
explicitly:
if form.validate():
form.vars.xyzzy = request.post_vars.xyzzy
Be careful with hidden fields, though -- they can be hacked.
Anthony
--
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
