Django模板渲染在无效的编辑配置文件表单上更改了用户名

Question

I have a view where it is possible to change user's name and username. Field name has custom validators. If validators fail, form is not saved. It even works.

The only problem is that I render username in my base.html template with this code

Login as {{ user.username }}

and username is rendered changed even when form is failing and user's username in the database is not changed.

When I go to another URL, username is correct (it is unchanged value).

Can you help me with that? It feels like bug and not a mistake in my code.

Code of my edit_profile view.

def edit_profile(request):

    if request.method == 'POST':
        form = EditProfileForm(request.POST, instance=request.user)

        if form.is_valid():
            form.save()
            return redirect('profile')
        else:
            return render(request, 'accounts/edit_profile.html', {'form': form})

    form = EditProfileForm(instance=request.user)
    return render(request, 'accounts/edit_profile.html', {'form': form} )

Answer 1

I would say this functionality is by design in Django. The form is modifying the request.user object directly, it will be modified by the POST data before being rendered.

An alternate solution would be to retrieve a separate copy of the user object, and not modify the request.user object directly. Then the "live" user object is only modified after the object has been validated and stored to the DB (ie after the next request).

It would probably also be safer, as it could potentially have side effects in other parts of the rendering. For example, if somewhere in your code you checked the user name against a role table, the user could potentially (temporarily, for the scope of the rendering) elevate his/her privileges by renaming himself to "admin".