I've noticed something troubling in Django formsets:
Each formset.form has a hidden field with the id of the model being edited.
All one would need to do is change this id and submit, and the default formset clean() or save() methods don't bat an eye.
I would think that it wouldn't be too complicated to keep track of which objects were in the original formset queryset, and compare them on save.
Given all the other convenient security methods we have, I wonder why Django doesn't do this already?
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/f2a0ed48-fd23-4f4c-b13d-c11828ef5a55%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
No comments:
Post a Comment