Django: what approaches are there to 'parametising' the display and editability of form fields.

Question

I have several forms where I want some fields to be simply missing from the form display (dependent on the current user) and some fields to be uneditable, depending on the user.

This needs to be enforced on the server, so that a malicious user cannot break the security by manually constructing a post request with the missing parameter.

Likewise fields which are not displayed to the user, must still come back in the form results, so that fields which are not displayed to a user and not 'wiped-out' when the model is written back to the DB.

I also need to solve the same hiding problem for templates.

The app will have dozens of forms, with different immutability/hiding requirements, so this needs to be a generic system. Coding permissions inside each form would be too prone to error.

Any help appreciated.

Chris.

score 1 · Accepted Answer · edited May 23 '17 at 10:34

1

For hidding fields from form display, simple delete unneeded fields in form's __init__ method. Constructing post request by adding deleted fields, will not have influence on the form.

Regarding disabled or readonly fields, check this article and another question. Basically, cleaning field should set it to initial state.

edited May 23 '17 at 10:34

Community

1
1

answered Apr 05 '12 at 14:10

bmihelac

6,233
34
45

Django: what approaches are there to 'parametising' the display and editability of form fields.

1 Answers1