Enforcing values for some fields when using ModelForm - database

I have a Django app where users submit orders for payment. Clearly, security is important. I want to minimise the amount of code that I have to write, to avoid introducing any security holes, and ease maintenance.
The model is simple:
class Order(models.Model):
user = models.ForeignKey(User)
created = models.DateTimeField()
paid = models.DateTimeField(null=True, blank=True)
items = models.ManyToManyField(Item)
I'm using a CreateView to create instances of Order:
class OrderView(CreateView):
model = Order
form_class = OrderForm
I want to enforce values for certain fields in those instances. For example, I want the instance user field set to the current logged-in user. I don't want any possibility that the user can change the value of this field, so I don't want it to appear in the form at all. Therefore I use a custom ModelForm to remove these fields from the form:
class OrderForm(forms.ModelForm):
class Meta:
model = Order
# For security, we control exactly which fields are placed
# in the form, rather than excluding some:
fields = ('items',)
Now I want the newly created Order instances to have the user field set to the current logged-in user. I can't find any documentation about what is the best way to do this.
(A) I can override the form's save() method to modify the object before saving, but it feels like this code doesn't belong in the form, which doesn't know anything about the user field. I also don't have access to the request here, which I'd need to determine the current user. But it might look like this:
class OrderForm(forms.ModelForm):
def save(self, commit=True):
instance = super(OrderForm, self).save(commit=False)
instance.user = get_request_magic().user
if commit:
instance.save()
return instance
(B) I can override the view's form_valid method to save the object with commit=False, like a class-based version of this question. But I can't call the superclass method directly, because it saves the object with no way to disable commit, so I have to manually skip a generation of form_valid which is nasty. Apart from that complaint, this does look like the best way I've found so far:
class OrderView(CreateView):
def form_valid(self, form):
self.object = form.save(commit=False)
self.object.user = self.request.user
self.object.save()
return super(ModelFormMixin, self).form_valid(form)
(C) I could write a replacement for CreateView that adds a hook to allow objects to be changed before saving them. But that feels like more boilerplate and duplication.
(D) I can't provide an initial value, because there's no form field to put it in, so it will be ignored.
Any other ideas? If (B) the best option, is there any way around the hacky way of manually specifying which superclass' form_valid method I want to call?

Django user Charettes answered the question for me:
You can achieve this by overriding form_valid:
class OrderCreateViewMixin(CreateView):
def form_valid(self, form):
form.instance.user = request.user
return super(OrderCreateViewMixin, self).form_valid(form)
Which pointed me towards the right part of the documentation:
class AuthorCreate(CreateView):
form_class = AuthorForm
model = Author
def form_valid(self, form):
form.instance.created_by = self.request.user
return super(AuthorCreate, self).form_valid(form)
This is definitely the simplest and cleanest answer I've found so far. It doesn't require modifying the form in any way, although it does directly access its instance member which is a bit ugly. However, at least it's officially documented, so it's unlikely to break.

There are probably multiple approaches to this. I would do this:
Create a constructor in your form which takes the request:
def __init__(self, *args, **kwargs):
request = kwargs.pop('request', None)
super(OrderForm, self).__init__(*args, **kwargs)
self.request = request
When creating your form for POST processing, instantiate it as follows:
form = OrderForm(data=request.POST, request=request)
Now, in your save() method, you have access to the user on the request by referencing self.request.user and can set it accordingly on your model.

The way I've gone about handling this situation with CBVs, is to pass in an unsaved instance of the model to the form. This is how I've done it:
class OrderView(CreateView):
def get_form_kwargs(self):
self.object = Order(user=self.request.user)
return super(OrderView, self).get_form_kwargs()
Both CreateView and UpdateView will add instance to the form kwargs, setting it to the value of self.object.
The only other way, besides what you've already mentioned, is to construct your view class from the same elements that CreateView does, and then change the get and post methods to populate self.object there. I've done that when I have needed a lot of create views in my project:
class OrderView(SingleObjectTemplateResponseMixin, ModelFormMixin, ProcessFormView):
template_name_suffix = '_form'
def get(self, request, *args, **kwargs):
self.object = Order(user=request.user)
return super(OrderView, self).get(request, *args, **kwargs)
def post(self, request, *args, **kwargs):
self.object = Order(user=request.user)
return super(OrderView, self).post(request, *args, **kwargs)
Here is a more generalized version to be reused: https://gist.github.com/4439975

Related

Disable strip white space from models.CharField

I have a django application using models.CharField. The issue is trailing whitespace is removed, which weirdly enough, I DO NOT WANT TO HAPPEN.
I am only accessing the field through the Admin, not a form. I understand through other posts that forms have an strip = False option, but models do not.
Is there an easy way I can achieve this?
Thanks Willem, but I wasn't exactly sure how to do that.
That said, I've worked it out myself, with a little help from
Django TextField/CharField is stripping spaces/blank lines.
Step by step for those still learning, like me:
Define a custom form, overriding the init method (forms.py)
class YourForm(forms.ModelForm):
def __init__(self, *args, **kwargs):
super(YourForm, self).__init__(*args, **kwargs)
self.fields['myfield'].strip = False
class Meta:
model = YourModel
fields = "__all__"
Reference the custom form when defining the model admin (admin.py)
from .forms import YourForm
class YourModelAdmin(admin.ModelAdmin):
# list_display, ordering etc.
form = YourForm

Allowing Edit to editable=False Fields in Django Admin

DRF will use the editable=False on a field to default the Serializer to read-only. This is a very helpful / safe default that I take advantage of (ie I won't forget to set the Serializer to read-only). That being said once I have set editable=False is there any way to then force the Django admin to allow editing one of those fields?
Presumably the admin is a super user and I do want him to be able to change the fields value but fore safety I want the default Serializer logic to be read only.
UPDATE
I don't actually need to be able to edit the field as much as "set-it" when I create the object.
You are going about this the wrong way.
Your models should be the most pure implementation of the things you are modelling. If something about a model is fixed (for example a creation date) it shouldn't be editable in the model, if its mutable, then leave as editable in the model.
Otherwise, in the future you (or someone else) might be stuck wondering why a field which is set to editable=False is some how being changed. Especially as the documentation states:
If False, the field will not be displayed in the admin or any other ModelForm. They are also skipped during model validation.
If you have one view in which it shouldn't be editable (such as in the API), then override it there.
If you have multiple serilaizers for a model, instead make an abstract serializer with a read_only_fields set and then subclass that. For example:
class AbstractFooSerializer(serializers.ModelSerializer):
class Meta:
model = Foo
read_only_fields = ('bar',)
class MainFooSerializer(AbstractFooSerializer):
pass
class DifferentFooSerializer(AbstractFooSerializer):
pass
If you really, really want to use editable=False, but allow the item to be edited in the Admin site only on creation you have an up hill battle.
Probably the best approach would be to reimplement the AdminForm you are using for the Admin
So instead of:
class FooAdmin(admin.ModelAdmin):
Use:
class FooAdmin(admin.ModelAdmin):
form = MySpecialForm
Then declare the form:
class MySpecialForm(forms.Model):
def __init__(self, *args, **kwargs):
self.is_new = False
if kwargs.get('instance',None) is None:
# There is no instance, thus its a new item
self.is_new = True
self.fields['one_time_field'] = forms.CharField() # Or what have you.
super(MySpecialForm, self).__init__(*args, **kwargs)
def save(self, commit=True):
instance = super(MySpecialForm, self).save(commit)
if self.is_new:
instance.your_one_time_only_field = self.one_time_field
instance.save()
return instance
Note: you will need to manually add a field and save each readonly field that you want to do this for. This may or may not be 100% functional.
For those who want to allow editing of a non-editabled field only during creation (no instance.pk, yet):
# models.py
class Entity(Model):
name = CharField(max_length=200, unique=True, null=False, blank=False, editable=False)
# admin.py
#register(Entity)
class EntityAdmin(ModelAdmin):
def get_readonly_fields(self, request, obj=None):
if obj: # This is the case when obj is already created i.e. it's an edit
return ['id', 'name']
else:
return []
# this override prevents that the new_name field shows up in the change form if it's not a creation
def get_form(self, request, obj=None, **kwargs):
orig_self_form = self.form
if not obj:
self.form = CreateEntityForm
result = super().get_form(request, obj=obj, **kwargs)
self.form = orig_self_form
return result
# forms.py
class CreateEntityForm(ModelForm):
new_name = CharField(max_length=200, min_length=2, label='Name', required=True)
def clean_new_name(self):
code = self.cleaned_data['new_name']
# validate uniqueness - if you need
exists = Entity.objects.filter(name=code).first()
if exists:
raise ValidationError('Entity with this name already exists: {}', exists)
return name
def save(self, commit=True):
if self.instance.pk:
raise NotImplementedError('Editing of existing Entity is not allowed!')
self.instance.name = self.cleaned_data['new_name'].upper()
return super().save(commit)
class Meta:
model = Entity
fields = ['new_name']
exclude = ['id', 'name']

Using Django CreateView without Form to Create Object

I am using classed based views with django 1.3 and am trying to figure out how to create an object without using the form. I do not need any user input to create the object but I am still getting an error message that the template is missing. Below is my current view where I have tried to subclass the form_valid method but its not working. Any help would be appreciated.
class ReviewerCreateView(CreateView):
model = Reviewer
def form_valid(self, form):
self.object = form.save(commit=False)
self.object.user = self.request.user
self.object.role = 2
self.object.save()
return HttpResponseRedirect(self.get_success_url())
A CreateView is a specialized view whose purpose is to display a form on GET and validate the form data and create a new object based on the form data on POST.
Since you don't need to display a form and process the form data, a CreateView is not the tool for your job.
You either need a plain old function-based view, or, if you prefer to use a class-based view, derive from View and override get() or post(). For example, adapting your sample code:
class ReviewerCreator(View):
def get(self, request, *args, **kwargs):
Reviewer(user=request.user, role=2).save()
return HttpResponseRedirect('/your_success_url/')
I don't believe a view needs to do anything explicit with a form if it does not need one.
You can instantiate a Reviewer object. It's just a python object.
class ReviewerCreateView(CreateView):
model = Reviewer
self.object.user = self.request.user
self.object.role = 2
self.object.save()
return HttpResponseRedirect(self.get_success_url())

Django-nonrel form field for ListField

I'm experimenting with django-nonrel on appengine and trying to use a djangotoolbox.fields.ListField to implement a many-to-many relation. As I read in the documentation a ListField is something that you can use to make a workaround for djamgo-nonrel not supporting many-to-many relations.
This is an excerpt from my model:
class MyClass(models.Model):
field = ListField(models.ForeignKey(AnotherClass))
So if I am getting this right I am creating a list of foreign keys to another class to show a relationship with multiple instances of another class
With this approach everything works fine ... No Exceptions. I can create `MyClass' objects in code and views. But when I try to use the admin interface I get the following error
No form field implemented for <class 'djangotoolbox.fields.ListField'>
So I though I would try something that I haven't done before. Create my own field. Well actually my own form for editing MyClass instances in the admin interface. Here is what I did:
class MyClassForm(ModelForm):
field = fields.MultipleChoiceField(choices=AnotherClass.objects.all(), widget=FilteredSelectMultiple("verbose_name", is_stacked=False))
class Meta:
model = MyClass
then I pass MyClassForm as the form to use to the admin interface
class MyClassAdmin(admin.ModelAdmin):
form = MyClassForm
admin.site.register(MyClass, MyClassAdmin)
I though that this would work but It doesn't. When I go to the admin interface I get the same error as before. Can anyone tell what I am doing wrong here ... or if you have any other suggestions or success stories of using the ListField, SetField, etc. from djangotoolbox.fields in the admin interface it would be very much appreciated.
OK, here is what I did to get this all working ...
I'll start from the beginning
This is what what my model looked like
class MyClass(models.Model):
field = ListField(models.ForeignKey(AnotherClass))
I wanted to be able to use the admin interface to create/edit instances of this model using a multiple select widget for the list field. Therefore, I created some custom classes as follows
class ModelListField(ListField):
def formfield(self, **kwargs):
return FormListField(**kwargs)
class ListFieldWidget(SelectMultiple):
pass
class FormListField(MultipleChoiceField):
"""
This is a custom form field that can display a ModelListField as a Multiple Select GUI element.
"""
widget = ListFieldWidget
def clean(self, value):
#TODO: clean your data in whatever way is correct in your case and return cleaned data instead of just the value
return value
These classes allow the listfield to be used in the admin. Then I created a form to use in the admin site
class MyClassForm(ModelForm):
def __init__(self, *args, **kwargs):
super(MyClasstForm,self).__init__(*args, **kwargs)
self.fields['field'].widget.choices = [(i.pk, i) for i in AnotherClass.objects.all()]
if self.instance.pk:
self.fields['field'].initial = self.instance.field
class Meta:
model = MyClass
After having done this I created a admin model and registered it with the admin site
class MyClassAdmin(admin.ModelAdmin):
form = MyClassForm
def __init__(self, model, admin_site):
super(MyClassAdmin,self).__init__(model, admin_site)
admin.site.register(MyClass, MyClassAdmin)
This is now working in my code. Keep in mind that this approach might not at all be well suited for google_appengine as I am not very adept at how it works and it might create inefficient queries an such.
As far as I understand, you're trying to have a M2M relationship in django-nonrel, which is not an out-of-the-box functionality. For starters, if you want a quick hack, you can go with this simple class and use a CharField to enter foreign keys manually:
class ListFormField(forms.Field):
""" A form field for being able to display a djangotoolbox.fields.ListField. """
widget = ListWidget
def clean(self, value):
return [v.strip() for v in value.split(',') if len(v.strip()) > 0]
But if you want to have a multiple selection from a list of models normally you'd have to use ModelMultipleChoiceField, which is also not functional in django-nonrel. Here's what I've done to emulate a M2M relationship using a MultipleSelectField:
Let's say you have a M2M relationship between 2 classes, SomeClass and AnotherClass respectively. You want to select the relationship on the form for SomeClass. Also I assume you want to hold the references as a ListField in SomeClass. (Naturally you want to create M2M relationships as they're explained here, to prevent exploding indexes if you're working on App Engine).
So you have your models like:
class SomeClass(models.Model):
another_class_ids = ListField(models.PositiveIntegerField(), null=True, blank=True)
#fields go here
class AnotherClass(models.Model):
#fields go here
And in your form:
class SomeClassForm(forms.ModelForm):
#Empty field, will be populated after form is initialized
#Otherwise selection list is not refreshed after new entities are created.
another_class = forms.MultipleChoiceField(required=False)
def __init__(self, *args, **kwargs):
super(SomeClassForm,self).__init__(*args, **kwargs)
self.fields['another_class'].choices = [(item.pk,item) for item in AnotherClass.objects.all()]
if self.instance.pk: #If class is saved, highlight the instances that are related
self.fields['another_class'].initial = self.instance.another_class_ids
def save(self, *args, **kwargs):
self.instance.another_class_ids = self.cleaned_data['another_class']
return super(SomeClassForm, self).save()
class Meta:
model = SomeClass
Hopefully this should get you going for the start, I implemented this functionality for normal forms, adjust it for admin panel shouldn't be that hard.
This could be unrelated but for the admin interface, be sure you have djangotoolbox listed after django.contrib.admin in the settings.. INSTALLED_APPS
You could avoid a custom form class for such usage by inquiring for the model object
class ModelListField(ListField):
def __init__(self, embedded_model=None, *args, **kwargs):
super(ModelListField, self).__init__(*args, **kwargs)
self._model = embedded_model.embedded_model
def formfield(self, **kwargs):
return FormListField(model=self._model, **kwargs)
class ListFieldWidget(SelectMultiple):
pass
class FormListField(MultipleChoiceField):
widget = ListFieldWidget
def __init__(self, model=None, *args, **kwargs):
self._model = model
super(FormListField, self).__init__(*args, **kwargs)
self.widget.choices = [(unicode(i.pk), i) for i in self._model.objects.all()]
def to_python(self, value):
return [self._model.objects.get(pk=key) for key in value]
def clean(self, value):
return value

How to do custom display and auto-select in django admin multi-select field?

I'm new to django, so please feel free to tell me if I'm doing this incorrectly. I am trying to create a django ordering system. My order model:
class Order(models.Model):
ordered_by = models.ForeignKey(User, limit_choices_to = {'groups__name': "Managers", 'is_active': 1})
in my admin ANY user can enter an order, but ordered_by must be someone in the group "managers" (this is the behavior I want).
Now, if the logged in user happens to be a manager I want it to automatically fill in the field with that logged in user. I have accomplished this by:
class OrderAdmin(admin.ModelAdmin):
def formfield_for_foreignkey(self, db_field, request, **kwargs):
if db_field.name == "ordered_by":
if request.user in User.objects.filter(groups__name='Managers', is_active=1):
kwargs["initial"] = request.user.id
kwargs["empty_label"] = "-------------"
return db_field.formfield(**kwargs)
return super(OrderAdmin, self).formfield_for_foreignkey(db_field, request, **kwargs)
This also works, but the admin puts the username as the display for the select box by default. It would be nice to have the user's real name listed. I was able to do it with this:
class UserModelMultipleChoiceField(forms.ModelMultipleChoiceField):
def label_from_instance(self, obj):
return obj.first_name + " " + obj.last_name
class OrderForm(forms.ModelForm):
ordered_by = UserModelChoiceField(queryset=User.objects.all().filter(groups__name='Managers', is_active=1))
class OrderAdmin(admin.ModelAdmin):
form = OrderForm
My problem: I can't to both of these. If I put in the formfield_for_foreignkey function and add form = OrderForm to use my custom "UserModelChoiceField", it puts the nice name display but it won't select the currently logged in user. I'm new to this, but my guess is that when I use UserModelChoiceField it "erases" the info passed in via formfield_for_foreignkey. Do I need to use the super() function somehow to pass on this info? or something completely different?
Eliminate the ModelChoiceField/ModelMultipleChoiceField subclass completely and work off the formfield_for_foreignkey method. The request argument isn't available in the subclass, and so you can't get the current user.
Then use label_from_instance method inside formfield_for_foreignkey. You can write this yourself, but a robust Django snippet is available at http://djangosnippets.org/snippets/1642/. Just subclass the class from that snippet. You can put it in a different file and import it, or just write it above the OrderAdmin class as OrderAdmin(NiceUserModelAdmin).
Lastly, rewrite the formfield_for_foreignkey method to take the kwargs["initial"] = request.user.id outside the if statement. I don't think that's necessary and I too had trouble making it work that way.
# admin.py
from django.contrib import admin
from django.contrib.auth.models import User
from (...) import Order
class NiceUserModelAdmin(admin.ModelAdmin):
# ...
class OrderAdmin(NiceUserModelAdmin):
# ...
def formfield_for_foreignkey(self, db_field, request, **kwargs):
kwargs["initial"] = request.user.id
if db_field.name == "ordered_by":
kwargs["empty_label"] = "-------------"
return db_field.formfield(**kwargs)
return super(OrderAdmin, self).formfield_for_foreignkey(db_field, request, **kwargs)

Resources