问题
I have overrode the comments framework's form.html template with my own
{% load comments i18n %}
<form action="{% comment_form_target %}" method="post">{% csrf_token %}
<div><input type="hidden" name="next" value="{{ request.get_full_path }}" /></div>
{% for field in form %}
{% if field.is_hidden %}
<div>{{ field }}</div>
{% else %}
{% if field.name != "name" and field.name != "url" and field.name != "email" %}
{% if field.errors %}{{ field.errors }}{% endif %}
<p
{% if field.errors %} class="error"{% endif %}
{% ifequal field.name "honeypot" %} style="display:none;"{% endifequal %}
>
{{ field.label_tag }}<br />
{{ field }}
</p>
{% endif %}
{% endif %}
{% endfor %}
<p class="submit">
<input type="submit" name="post" class="submit-post" value="{% trans "Post" %}" />
</p>
</form>
It pretty much only renders the needed hidden fields (for security) and the comments field. All comment.user is automatically set as the current logged in user request.user. Here is the rendered HTML:
<form action="/comments/post/" method="post"><div style='display:none'><input type='hidden' name='csrfmiddlewaretoken' value='bd05094c2e3ba80e1fbec8a4237b132c' /></div>
<div><input type="hidden" name="next" value="/doors/orders/1/" /></div>
<div><input type="hidden" name="content_type" value="doors.order" id="id_content_type" /></div>
<div><input type="hidden" name="object_pk" value="1" id="id_object_pk" /></div>
<div><input type="hidden" name="timestamp" value="1333125894" id="id_timestamp" /></div>
<div><input type="hidden" name="security_hash" value="c6791aafdd682cd8db5595681073c9a21c5fe7dd" id="id_security_hash" /></div>
<p>
<label for="id_comment">Comment</label><br />
<textarea id="id_comment" rows="10" cols="40" name="comment"></textarea>
</p>
<p style="display:none;" >
<label for="id_honeypot">If you enter anything in this field your comment will be treated as spam</label><br />
<input type="text" name="honeypot" id="id_honeypot" />
</p>
<p class="submit">
<input type="submit" name="post" class="submit-post" value="Post" />
</p>
</form>
The problem is I noticed that if the logged in user doesn't have an email, then the comments goes to preview.html (which I haven't overridden). Here is the screenshot:
This is a security issue since it allows someone to change their name instead of using the logged in user's name before posting (when I list the comments, I use comment.user.get_full_name instead of comment.name so it's not an issue there, but it could still be confusing in, say, the admin page).
So my questions are:
- How do I allow users with no email to comment?
- How do I not allow the form to go to
preview.html? - Is my code and design so far good?
回答1:
Well, you can use the customization documentation to create a custom app that handles comments from comments framework. You should set COMMENTS_APP = 'my_comment_app' in your settings file and specify a get_form() method in your app's __init__.py which should return your custom form.
The custom form should be based on contrib.comments.forms.CommentForm and should look something like that:
class CustomForm(comment_forms.CommentForm):
def __init__(*args, **kwargs):
super(CustomFors, self).__init__(*args, **kwargs)
self.fields["email"].required = False
preview.html is rendered because the form contains errors (emai is required, but user doesn't have it and so it's not populated). If there are no errors - preview won't be shown.
来源:https://stackoverflow.com/questions/9947343/a-user-with-no-email-cant-post-a-comment-using-djangos-comments-framework