0

INTRO: I have a Django web app which does the following:

  1. Allows the user to fill the form
  2. After the form is submitted, it shows the form with the previously filled values

In step 2, the form fields are set as read-only because they should not be modified.

So in my views.py file I have the following information:

def insert_data(request):
    # Get the form from a previous post request (coming from step1)
    form_one_item = ProductForm(request.POST, request.FILES)

    # Set the fields as readonly (this is step 2)
    form_one_item.fields['name'].widget.attrs['readonly'] = True
    
    return render(request, 'mypage.html', {'form_one_item':'form_one_item'})

The form therefore looks like this:

enter image description here

and it is supposed to be resubmitted through another post request (I know it is confusing but I need to do so).

PROBLEM: At first glance, it looks like it is all fine but then I noticed that I can right-click on the field and modify its content:

enter image description here

As a matter of fact if I repost the readonly form, the value shown is modified according to what I write into the value field.

QUESTION: Are you able to suggest a possible way to keep the readonly option but at the same time to avoid to pass a modified value once I re-submit the post?

NOTE: None of the answers posted in this popular question worked for me.

Federico Gentile
  • 5,650
  • 10
  • 47
  • 102
  • "_avoid to pass a modified value once I re-submit the post_" that is impossible if you keep that as an input in the form (The user can tamper with anything at the frontend). As mentioned in the duplicate even if the value is modified Django will ignore it if you use the `disabled` attribute, how does that not meet your requirements? – Abdul Aziz Barkat Oct 25 '22 at 10:09
  • @AbdulAzizBarkat thanks for your comment. Disabled does not show the value in the prefilled form. It is completely gray. And I need to pass the values back to the back-end. IF I use disabled, I understand that the form will not be posted. – Federico Gentile Oct 25 '22 at 10:14
  • Why would the form not be posted? Just that field is disabled not the form. Also on one hand you say you need to pass the values to the backend on the other you say the user shouldn't be able to tamper, as I said that is impossible the backend just needs to get the data on its own in both requests since data from the user can't be trusted. – Abdul Aziz Barkat Oct 25 '22 at 10:17
  • When I use `form_one_item.fields['name'].disabled = True` the prefilled values are erased and I get an empty form – Federico Gentile Oct 25 '22 at 10:53
  • You need to pass your values to the form as [initial data](https://docs.djangoproject.com/en/4.1/ref/forms/api/#django.forms.Form.initial) of course. Also I don't know why you insist on modifying the form after instantiating it rather than just updating the code for the form... – Abdul Aziz Barkat Oct 25 '22 at 10:56
  • But why should I pass the values to the form if it is already prefilled from step 1? As a matter of fact if I use the readonly option, the displayed outcome is what I expect to see. The only problem is that someone could modify and repost the form with different values from the original ones. That is why I need to prevent this to happen. – Federico Gentile Oct 25 '22 at 11:03
  • Btw I was partially able to display what I want by using the following line of code: `form_one_item.fields['name'].widget.attrs['disabled'] = 'disabled'` . However after making the post request, the form is empty. – Federico Gentile Oct 25 '22 at 11:14
  • And that exactly is why you need to pass the value to the form, since the user can modify the value whatever the user submits is untrusted. You could of course come up with a hash value make the user submit that also and use that hash to verify the submitted value (Basically a digital signature so to speak) These are the 2 simplest solutions. As to your exact question "How to prevent data tampering?" I've already said that it is impossible, the user can do whatever they want on the frontend. – Abdul Aziz Barkat Oct 25 '22 at 11:14

0 Answers0