禁用的字段被认为在WTForms和Flask中进行验证 [英] Disabled field is considered for validation in WTForms and Flask

问题描述

 < html>我的页面禁用了一些字段，例如:(使用jinja2模板系统） 
< body> 
< form action =method = POST> 
 {{form.name（disabled = True）}} 
 {{form.title}} 
  - 提交按钮 -  
< / form> 
< / body> 
< / html> 
  

字段在预期的表单中被禁用。

在我的views.py中：在表单提交上执行validate_on_submit（）时，失败了，在'name'字段被禁用了验证错误。我希望验证忽略残疾领域。这是正确的行为？如果是这样的话，请你让知道如何处理这种情况？

更新：

  class TeamForm（wtf.Form）：
 name = wtf.TextField（Team Name，validators = [validators.Required（）]）
 title = wtf.TextField（ Title，validators = [validators.Required（）]）
  

解决方案

<这实际上是一个有趣的问题，而WTForms解决这个问题的方式是故意要求明确的，因为它必须处理安全性，而不允许用户伪造输入。

<因此，意图是，管理者不能编辑名称，而管理员可以。

乍一看这似乎很明显，只是禁用HTML中的字段，并写下你的看法是这样的：

$ $ p $ code def edit_team（）：
form = TeamForm（request.POST，obj = team）
如果request.POST和form.validate（）：
form.populate_obj（team）＃< - 这里是危险的部分
（'/ teams'）
return render（'edit_team.html'）

正如所写，这是一个重大的安全风险，因为 HTML表单中的禁用属性仅在客户端。任何使用HTML检查器（例如FireBug，webkit文件检查器等）的人都可以删除这个属性，或者有人可以简单地提出这样的请求：

  POST / edit_team / 7 HTTP / 1.0 
 Content-Type：application / x-urlencoded 
 
 team = EVILTEAMNAME& title = foo 
  

现在的问题当然是，我们如何在服务器端恰当地选择这个对应的方法呢？使用WTForms的正确方法是首先不要有字段。有几种方法可以做到这一点，一种是使用表单组合， ManagerTeamForm和AdminTeamForm（有时候这会更好），但是有时候更容易使用del删除特定的字段。

所以这里是你如何编写你的视图，并没有验证问题：

  def edit_team（）：
 form = TeamForm（request.POST，obj = team）
 if user.role =='manager'：
 del form.name $ b $如果request.POST和form.validate（）：
 form.populate_obj（team）
 return redirect（'/ teams' ）
 return render（'edit_team.html'）
  

对模板进行快速修改：

 < html> 
< body> 
< form action =method = POST> 
 {％if'name'form％} 
 {{form.name（）}} 
 {％else％} 
 {{team.name | e}} 
 {％endif％} 
 {{form.title}} 
  - 提交按钮 -  
< / form> 
< / body> 
< / html> 
  

wtforms最佳做法的一些引用：

• WTForms解决特定问题


• 使用表单作为后台存储（WTForms google组） 0awGC7pq71sJrel =nofollow noreferrer>发表1 / Post 2


• StackOverflow：WTForms的只读属性
li>

I have some fields in page disabled as for example:(using jinja2 templating system)

<html>
<body>
<form action="" method=POST>
    {{ form.name(disabled=True) }}
    {{ form.title }}
    -- submit button --
</form>
</body>
</html>

Field is disabled in the form as expected.

In my views.py: On doing validate_on_submit() on form submit, it fails with validation error on 'name' field which is disabled. I was hoping that validation ignores disabled field. Is it the right behaviour? If so, can you please let know how to handle such a case?

Updated:

class TeamForm(wtf.Form):
    name = wtf.TextField("Team Name", validators=[validators.Required()])
    title = wtf.TextField("Title", validators=[validators.Required()])

解决方案

This is actually an interesting problem, and the way WTForms solves it is intentionally something that requires explicitness, because it has to do with security and not allowing users to fake input.

So the intent is, that "managers" cannot edit the name, while "admins" can.

At first glance this seems obvious, just disable the field in HTML, and write your view like this:

def edit_team():
    form = TeamForm(request.POST, obj=team)
    if request.POST and form.validate():
        form.populate_obj(team) # <-- This is the dangerous part here
        return redirect('/teams')
    return render('edit_team.html')

As written, this is a major security risk, because the disabled property in HTML forms is client-side only. Anyone with an HTML inspector (ie FireBug, webkit document inspector, etc) can remove this property, or someone could simply make a request like so:

POST /edit_team/7 HTTP/1.0
Content-Type: application/x-urlencoded

team=EVILTEAMNAME&title=foo

The issue then is of course, how do we gate this properly on the server-side, corresponding to the appropriate way of doing this? The correct approach with WTForms is to not have the field in the first place. There's a few ways to do this, one is to use form composition and have e.g. ManagerTeamForm and AdminTeamForm (sometimes this is better) but other times it's easier to use del to remove specific fields.

So here's how you would write your view, and not have the validation issues:

def edit_team():
    form = TeamForm(request.POST, obj=team)
    if user.role == 'manager':
        del form.name
    if request.POST and form.validate():
        form.populate_obj(team)
        return redirect('/teams')
    return render('edit_team.html')

And a quick modification to the template:

<html>
<body>
<form action="" method=POST>
    {% if 'name' in form %}
        {{ form.name() }}
    {% else %}
        {{ team.name|e }}
    {% endif %}
    {{ form.title }}
    -- submit button --
</form>
</body>
</html>

Some pieces of reference for wtforms best-practices:

• WTForms 'Solving Specific Problems'
• Dangers of Using forms as a backing store (WTForms google group) Post 1 / Post 2
• StackOverflow: WTForms 'readonly' attribute

这篇关于禁用的字段被认为在WTForms和Flask中进行验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！