堆栈内存溢出
  简体   繁体   English

当您从 Django 管理员 class 中排除字段时,这是否也会阻止在 POST 中设置该字段?

[英]When you exclude a field from a Django admin class, does that also prevent the field being set in a POST?

 原文  2019-10-08 08:41:30       python/ django/ django-admin

问题描述

Say I have a model admin:假设我有一个 model 管理员:

class Customer(Model):
    name = CharField(max_length=255)
    secret = CharField(max_length=255, blank=True)


@register(Customer)
class CustomerAdmin(ModelAdmin):
    list_display = ['name']
    exclude = ['secret']

The secret field is not going to appear in the admin. secret字段不会出现在管理员中。 But if I programmatically create a POST with the secret field in, will Django prevent it from being set on the model?但是,如果我以编程方式创建一个包含secret字段的POST ,Django 会阻止它在 model 上设置吗? So is there any security risk in having an admin class for a model which has excluded fields that should not be written to from a web client?那么对于 model 的管理员 class 是否存在任何安全风险,其中排除了不应从 web 客户端写入的字段?

1 个解决方案

解决方案1
 0 已采纳  2021-03-25 13:30:25

Answer is that this should be fine and using exclude should be enough to prevent the field being set by a malicious POST.答案是这应该没问题,并且使用exclude应该足以防止该字段被恶意 POST 设置。

The reason lies in construct_instance() (django 3.2) , which is used to populate a new or existing instance (the instance argument) with data from the POST (in the fields argument):原因在于construct_instance() (django 3.2) ,它用于使用来自 POST 的数据(在fields参数中)填充新的或现有的实例( instance参数):

def construct_instance(form, instance, fields=None, exclude=None):
    ...
    for f in opts.fields:
        ...
        if exclude and f.name in exclude:
            continue
        ...
        else:
            f.save_form_data(instance, cleaned_data[f.name])

Which gets called as:这被称为:

class BaseModelForm(BaseForm):
    ...
    def _post_clean(self):
        opts = self._meta
        ...
        try:
            self.instance = construct_instance(self, self.instance, opts.fields, opts.exclude)
        except ValidationError as e:
            ...

And the exclude is populated by the django.contrib.admin.options.ModelAdmin :并且excludedjango.contrib.admin.options.ModelAdmin填充:

class ModelAdmin(BaseModelAdmin):
    ...
    def get_exclude(self, request, obj=None):
        return self.exclude

    ...

    def get_form(self, request, obj=None, change=False, **kwargs):
        ...
        excluded = self.get_exclude(request, obj)
        exclude = [] if excluded is None else list(excluded)
        ...
        defaults = {
            ...
            'exclude': exclude,
            ...
        }
        ...
        try:
            return modelform_factory(self.model, **defaults)
        except FieldError as e:
            ...

And modelform_factory just passes that through to the form's options.modelform_factory只是将其传递给表单的选项。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 从管理表单中的 Django 验证中排除字段 - Exclude field from Django validation in admin form 管理员Django字段排除下拉列表 - admin django field exclude dropdown 一旦将字段转换为 Django 中的属性,如何防止字段从模型中“删除”? - How to prevent a field from being "removed" from the model once you turn it into a property in Django? Django admin:仅在更改表单中排除字段 - Django admin: exclude field on change form only 将admin用户名设置为Django admin的输入字段 - Set admin username to input field at Django admin Django admin-在输入另一个字段时设置一个字段 - Django admin - set a field when another one is entered Django admin:继承基础 class 字段,以便在保存时设置模型的字段 - Django admin: inherit base class field such that it is used to set the model's field on save 在创建 model (django) 时,您可以使用 function 设置字段吗 - can you use a function to set a field when creating a model (django) 仅使用一个字段时,不显示Django表单 - Django form does not display when only one field is being used 如果值为无,Django 管理员更改视图排除字段 - Django admin change view exclude field if value is None
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM