mirror of
https://github.com/django/django.git
synced 2025-11-07 07:15:35 +00:00
Fixed #19733 - deprecated ModelForms without 'fields' or 'exclude', and added '__all__' shortcut
This also updates all dependent functionality, including modelform_factory and modelformset_factory, and the generic views `ModelFormMixin`, `CreateView` and `UpdateView` which gain a new `fields` attribute.
This commit is contained in:
Luke Plant
@@ -532,3 +532,55 @@ including it in an URLconf, simply replace::
|
||||
with::
|
||||
|
||||
(r'^prefix/(?P<content_type_id>\d+)/(?P<object_id>.*)/$', 'django.contrib.contenttypes.views.shortcut'),
|
||||
|
||||
``ModelForm`` without ``fields`` or ``exclude``
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Previously, if you wanted a :class:`~django.forms.ModelForm` to use all fields on
|
||||
the model, you could simply omit the ``Meta.fields`` attribute, and all fields
|
||||
would be used.
|
||||
|
||||
This can lead to security problems where fields are added to the model and,
|
||||
unintentionally, automatically become editable by end users. In some cases,
|
||||
particular with boolean fields, it is possible for this problem to be completely
|
||||
invisible. This is a form of `Mass assignment vulnerability
|
||||
<http://en.wikipedia.org/wiki/Mass_assignment_vulnerability>`_.
|
||||
|
||||
For this reason, this behaviour is deprecated, and using the ``Meta.exclude``
|
||||
option is strongly discouraged. Instead, all fields that are intended for
|
||||
inclusion in the form should be listed explicitly in the ``fields`` attribute.
|
||||
|
||||
If this security concern really does not apply in your case, there is a shortcut
|
||||
to explicitly indicate that all fields should be used - use the special value
|
||||
``"__all__"`` for the fields attribute::
|
||||
|
||||
class MyModelForm(ModelForm):
|
||||
class Meta:
|
||||
fields = "__all__"
|
||||
model = MyModel
|
||||
|
||||
If you have custom ``ModelForms`` that only need to be used in the admin, there
|
||||
is another option. The admin has its own methods for defining fields
|
||||
(``fieldsets`` etc.), and so adding a list of fields to the ``ModelForm`` is
|
||||
redundant. Instead, simply omit the ``Meta`` inner class of the ``ModelForm``,
|
||||
or omit the ``Meta.model`` attribute. Since the ``ModelAdmin`` subclass knows
|
||||
which model it is for, it can add the necessary attributes to derive a
|
||||
functioning ``ModelForm``. This behaviour also works for earlier Django
|
||||
versions.
|
||||
|
||||
``UpdateView`` and ``CreateView`` without explicit fields
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
The generic views :class:`~django.views.generic.edit.CreateView` and
|
||||
:class:`~django.views.generic.edit.UpdateView`, and anything else derived from
|
||||
:class:`~django.views.generic.edit.ModelFormMixin`, are vulnerable to the
|
||||
security problem described in the section above, because they can automatically
|
||||
create a ``ModelForm`` that uses all fields for a model.
|
||||
|
||||
For this reason, if you use these views for editing models, you must also supply
|
||||
the ``fields`` attribute, which is a list of model fields and works in the same
|
||||
way as the :class:`~django.forms.ModelForm` ``Meta.fields`` attribute. Alternatively,
|
||||
you can set set the ``form_class`` attribute to a ``ModelForm`` that explicitly
|
||||
defines the fields to be used. Defining an ``UpdateView`` or ``CreateView``
|
||||
subclass to be used with a model but without an explicit list of fields is
|
||||
deprecated.
|
||||
|
||||
Reference in New Issue
Block a user