Fixed #20084 -- Provided option to validate formset max_num on server.

This is provided as a new "validate_max" formset_factory option defaulting to False, since the non-validating behavior of max_num is longstanding, and there is certainly code relying on it. (In fact, even the Django admin relies on it for the case where there are more existing inlines than the given max_num). It may be that at some point we want to deprecate validate_max=False and eventually remove the option, but this commit takes no steps in that direction. This also fixes the DoS-prevention absolute_max enforcement so that it causes a form validation error rather than an IndexError, and ensures that absolute_max is always 1000 more than max_num, to prevent surprising changes in behavior with max_num close to absolute_max. Lastly, this commit fixes the previous inconsistency between a regular formset and a model formset in the precedence of max_num and initial data. Previously in a regular formset, if the provided initial data was longer than max_num, it was truncated; in a model formset, all initial forms would be displayed regardless of max_num. Now regular formsets are the same as model formsets; all initial forms are displayed, even if more than max_num. (But if validate_max is True, submitting these forms will result in a "too many forms" validation error!) This combination of behaviors was chosen to keep the max_num validation simple and consistent, and avoid silent data loss due to truncation of initial data. Thanks to Preston for discussion of the design choices.
2025-10-24 14:16:09 +00:00 · 2013-03-20 23:27:06 -07:00
parent aaec4f2bd8
commit f9ab543720
12 changed files with 210 additions and 47 deletions
--- a/tests/model_formsets/tests.py
+++ b/tests/model_formsets/tests.py
@@ -899,6 +899,33 @@ class ModelFormsetTest(TestCase):
        self.assertFalse(formset.is_valid())
        self.assertEqual(formset.errors, [{'slug': ['Product with this Slug already exists.']}])

+    def test_modelformset_validate_max_flag(self):
+        # If validate_max is set and max_num is less than TOTAL_FORMS in the
+        # data, then throw an exception. MAX_NUM_FORMS in the data is
+        # irrelevant here (it's output as a hint for the client but its
+        # value in the returned data is not checked)
+
+        data = {
+            'form-TOTAL_FORMS': '2',
+            'form-INITIAL_FORMS': '0',
+            'form-MAX_NUM_FORMS': '2', # should be ignored
+            'form-0-price': '12.00',
+            'form-0-quantity': '1',
+            'form-1-price': '24.00',
+            'form-1-quantity': '2',
+        }
+
+        FormSet = modelformset_factory(Price, extra=1, max_num=1, validate_max=True)
+        formset = FormSet(data)
+        self.assertFalse(formset.is_valid())
+        self.assertEqual(formset.non_form_errors(), ['Please submit 1 or fewer forms.'])
+
+        # Now test the same thing without the validate_max flag to ensure
+        # default behavior is unchanged
+        FormSet = modelformset_factory(Price, extra=1, max_num=1)
+        formset = FormSet(data)
+        self.assertTrue(formset.is_valid())
+
    def test_unique_together_validation(self):
        FormSet = modelformset_factory(Price, extra=1)
        data = {