Django Forms: Foreign Key in Hidden Field

Question

My form:

class PlanForm(forms.ModelForm):    
    owner = forms.ModelChoiceField(label=\"\",
                                  queryset=Profile.objects.all()         


        

Answer 1

Hmm...

This might actually be a security hole.

Suppose a malicious attacker crafted a POST (say, by using XmlHttpRequest from FireBug) and set the profile term to some wacky value, like, your profile ID. Probably not what you wanted?

If possible, you may want to get the profile from the request object itself, rather than what's being submitted from the POST values.

form = PlanForm(request.POST)
if form.is_valid():
    plan = form.save(commit=False)
    plan.owner = request.user.get_profile()
    plan.save()
    form.save_m2m() # if neccesary