Hello,I have a formset and when I render it, Django would include this line in the HTML:
<input id="id_form-0-id" name="form-0-id" type="hidden">I am curious what is the purpose of having an id field here.
I mean in what situation would you use it. I did look through Django's documentation on formsetbut cannot find much documentation on this.
One answer I got is that this id field is the value of the primary key of the model bound to this form. It is there so that when the formset updates, people can use it to retrieve the corresponding record from the database.Is the above explaination correct?
If this explaination is correct, then my next question is, wouldn't it be dangerous to expose the primary key like that? I can make a post call to your server with a modified pk which can mess up your database.
So what? It's quite likely that whoever is editing this row of the database, also has permissions to edit the other rows as well. There's no reason for them to go through the hassle of manually editing a hidden field when they can go to a different page and edit it there.
In general, primary keys are not security flaws. While it's a good idea to hide them from front-end pages, that's mostly because they make URLs hard to read. I have heard that you don't want to use them publicly, because your competitors can use them to gauge your success, but that's the kind of "Nice Problem to Have" that can wait until you're bigger.
Thank you!
Peter of the Norse
No comments:
Post a Comment