service, the code below will expose the data of a logged in user for
anyone viewing the site:
BAD code -------------------------------->
view.py:
def show( request, report_id ):
report = get_object_or_404(Report, id=report_id)
return render_to_response("reports/show.html",
{ "report": report,
"update_form": ReportUpdateForm(user=request.user),
context_instance=RequestContext(request))
form.py:
class ReportUpdateForm(forms.ModelForm):
class Meta:
model = ReportUpdate
fields = ('desc','author','email','phone','is_fixed')
def
__init__(self,data=None,files=None,initial={},first_update=False,user
= None, report=None):
if user and user.is_authenticated() and
UserProfile.objects.filter(user=user).exists():
initial[ 'author' ] = user.first_name + " " +
user.last_name
initial[ 'phone' ] = user.get_profile().phone
initial[ 'email' ] = user.email
super(ReportUpdateForm,self).__init__(data,files=files,
initial=initial)
---------------------------------------->
... I'm guessing because the 'initial' declaration in the form
constructor prototype is not on the stack, like I would have thought.
Changing the view to construct the ReportUpdateForm like so:
"update_form": ReportUpdateForm(user=request.user,
initial={}),
puts the values on the stack, instead of in the apparently persistent
dict declared in the constructor prototype. This was confirmed with a
unit test:
-------------------------------->
def test_update_form(self):
# check that default values are already filled in.
c = Client()
r = c.login(username='user1',password='user1')
url = '/reports/4'
r = c.get( url )
self.assertEquals( r.status_code, 200 )
self.assertContains(r,"Clark Kent")
self.assertContains(r,"user1@test.com")
self.assertContains(r,"555-111-1111")
# check that default values are NOT already filled in
# for a second anonymous client (problem in the field)
c2 = Client()
r = c2.get( url )
self.assertEquals( r.status_code, 200 )
self.assertNotContains(r,"Clark Kent")
self.assertNotContains(r,"user1@test.com")
self.assertNotContains(r,"555-111-1111")
----------------------->
Which passes or fails according to the change above. Thank you for
your advice.
Jennifer
On Oct 25, 2:36 pm, Daniel Roseman <dan...@roseman.org.uk> wrote:
> On Monday, 24 October 2011 23:14:40 UTC+1, Jennifer Bell wrote:
>
> > On my site, some user data is automatically filled in to a form if a
> > user is logged in by accessing request.user in the view code.
>
> > On deployment, it seems that if *any* user is logged in, forms
> > requested via another browser will be filled in with their data. The
> > data is not filled in if no user is logged in.
>
> > I'm mystified. Where is this coming from? I'm using django 1.3, and
> > caching is not enabled in my settings (though I have set
> > CACHE_MIDDLEWARE_ANONYMOUS_ONLY=True just in case).
>
> > The WSGIDeamonProcess is set up like this:
> > WSGIDaemonProcess lalala user=lalala group=lalala threads=1
> > processes=3
>
> > Is this apache? mod_wsgi?
>
> > Jennifer
>
> No, it's your code. You've got something somewhere that's providing default
> arguments to your form, but is doing so at the module or class level rather
> than per-request. You'd better show your form and view code.
> --
> DR.
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
No comments:
Post a Comment