Re: Django formset hidden id field

Carl Meyer said:

"Whatever queryset you pass to the model formset limits the 
available rows for editing. The end user can edit the PK to refer to any 
item in that queryset, but not any item in the table. "

That's not true, based on my observation. 

As long as the PK refers to any object of that type, it can be edited by monkeying with the hidden id field.

I think that's a pretty big gotcha, since we have conveniences like permission_required decorator, {% csrf_token %}, etc.

On Wednesday, May 27, 2015 at 9:47:08 AM UTC-4, Cheng Guo wrote:

Hello,

I have a formset and when I render it, Django would include this line in the HTML:

<input id="id_form-0-id" name="form-0-id" type="hidden">

I am curious what is the purpose of having an id field here. 

I mean in what situation would you use it. I did look through Django's documentation on formsetbut cannot find much documentation on this.

One answer I got is that this id field is the value of the primary key of the model bound to this form. It is there so that when the formset updates, people can use it to retrieve the corresponding record from the database.

Is the above explaination correct?

If this explaination is correct, then my next question is, wouldn't it be dangerous to expose the primary key like that? I can make a post call to your server with a modified pk which can mess up your database.

Thank you!

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/fe307db9-12fb-4b05-a049-7e83c5ac8d80%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.