How to get user from change_view and add_view to validation - django

I'm trying to use validation with the request.user object to restrict updates to some rows for specific users within the django admin site. I get the impression I need to override the ModelAdmin change_view method to pass the request object to the form. I've looked at the change_view method in django.contrib.admin.options, but as someone very new to django, am having trouble understanding where in the change_view method I need to make these modifications. Any pointers in the right direction would be great.
class IssuesAdmin(admin.ModelAdmin):
def change_view(self, request, object_id, extra_context=None):
#modify lines to pass request to form
form = IssuesAdminForm
class IssuesAdminForm(forms.ModelForm):
class Meta:
model = Issues
def __init__(self, *args, **kwargs):
self.request = kwargs.pop('request', None)
super(IssuesAdminForm, self).__init__(*args, **kwargs)
def clean_product(self):
if self.request.user.name=='someone'
return self.cleaned_data["product"]
else:
raise forms.ValidationError("Nope!")

class IssuesAdmin(admin.ModelAdmin):
def change_view(self, request, object_id, extra_context=None): #remember to edit also add_view()... etc
self.form.request = request
form = IssuesAdminForm
class IssuesAdminForm(forms.ModelForm):
class Meta:
model = Issues
def __init__(self, *args, **kwargs):
self.request = # do what you need ;)
super(IssuesAdminForm, self).__init__(*args, **kwargs)
def clean_product(self):
if self.request.user.name=='someone'
return self.cleaned_data["product"]
else:
raise forms.ValidationError("Nope!")

Related

How to pass an extra argument to django admin custom form?

As you know we can define a ModelForm and then replace add and change forms by setting form attribute in modelAdmin class. for example:
class FooAdminForm(django.forms.ModelForm):
class Meta:
model = Foo
def __init__(self, *args, **kwargs):
super(FooAdminForm, self).__init__(self, *args, **kwargs)
class FooAdmin(admin.ModelAdmin):
form = FooAdminForm
in a simple view we can initialize a form object and pass extra arguments to init function of the form. something like this:
def my_view(request):
form = FooAdminForm(p1='aaa', p2='bbb')
and then in the init function we can access these parameter.
self.p1 = kwargs.pop('p1')
self.p2 = kwargs.pop('p2')
but how can I pass arguments to modelAdmin form? I can only pass form class to modelAdmin form attribute, and I can't initialize it like in views.
I found a solution on stackoverflow here:
Use a form with a custom __init__ in Django Admin
but it adds a dynamic attribute to form object, which I think is a little hackish. Is there a better or formal way for doing this?
I was looking around for a solution to this, and found a kinda-elegant solution in Django's issue tracker:
def get_form(self, request, obj=None, **kwargs):
Form = super().get_form(request, obj=None, **kwargs)
return functools.partial(Form, user=request.user)
https://code.djangoproject.com/ticket/27240#comment:9
So if you're using a custom form, you can simply pass it to super().get_form() using kwargs
def get_form(self, request, obj=None, **kwargs):
kwargs['form'] = FooAdminForm
Form = super().get_form(request, obj=None, **kwargs)
return functools.partial(Form, user=request.user)
Because ModelAdmin.get_form does not quite behave the same as FormView.get_form, you need to be a bit sneaky:
https://docs.djangoproject.com/en/3.0/ref/contrib/admin/#django.contrib.admin.ModelAdmin.get_form
class FooAdmin(admin.ModelAdmin):
form = FooAdminForm
def get_form(self, request, obj=None, **kwargs):
form_class = super().get_form(request, obj, **kwargs)
class Form(form_class):
def __init__(self, *args, **kwargs):
kwargs.update(foo='bar')
super().__init__(self, *args, **kwargs)
return Form

django SetPasswordForm and AdminPasswordChangeForm

hi im trying to use the above forms - but i get
__init__() takes at least 2 arguments (1 given)
i get to the form that it should show but it never save me the new password
i also needed to change the:
def __init__(self, user, *args, **kwargs):
self.user = user
super(AdminPasswordChangeForm, self).__init__(*args, **kwargs)
to:
def __init__(self, *args, **kwargs):
super(AdminPasswordChangeForm, self).__init__(*args, **kwargs)
since it doesnt get a user arg.
any ideas why?
thx
============================ edit =============================================
class set(FormView):
model = User
form_class = AdminPasswordChangeForm
template_name = 'set.html'
def dispatch(self, request, *args, **kwargs):
return super(set, self).dispatch(request, *args, **kwargs)
def get_form_kwargs(self):
kwargs = super(set, self).get_form_kwargs()
kwargs['user_to_update'] = the user
return kwargs
the init:
def __init__(self, *args, **kwargs):
self.user = kwargs['user_to_update']
kwargs.pop('user_to_update')
super(AdminPasswordChangeForm, self).__init__(*args, **kwargs)
Use the existing form. Overide the view's get_form_kwargs method to pass the expected arguments to the form, instead of changing the __init__ method, which will break other things.
In order to save the password, you need to override the form_valid method and call form.save().
For create and update views, you don't always need to override form_valid, because the default behaviour is to save the form and redirect. For FormView, the default behaviour is simply to redirect, so you do have to override it to get it to do anything useful.
class SetPasswordView(FormView):
form_class = AdminPasswordChangeForm
template_name = 'set.html'
success_url = '/thanks/'
def get_form_kwargs(self):
kwargs = super(set, self).get_form_kwargs()
kwargs['user_to_update'] = the user
return kwargs
def form_valid(self, form):
form.save()
return super(SetPasswordView, self).form_valid(form)

FormView validation on fields not from form

I am writing a FormView which will add for example a comment on Person object.
I want to check if current user wrote a comment for this Person and if he did I'd like to raise Http404.
Question: What is the best place for this validation? I don't want to call validation in get_context_data and form_valid. Is dispatch method a good place for this logic?
Remember that form_valid will only be called when you POST the form so that won't work as GET requests will still render. You could therefore put it in the get method for the FormView which would prevent the view and template loading the initial form. The drawback is that people could technically still POST to that URL if they really wanted to.
As you mentioned, I would put it in the dispatch method. It is very early in the cycle of the FormView so you avoid unnecessary processing.
def dispatch(self, request, *args, **kwargs):
# I'm just guessing your Comment/Person models
user = self.request.user
try:
person = Person.objects.get(user=self.request.user)
except:
raise Http404("No user exists")
if Comment.objects.filter(content_object=person).exist():
raise Http404("Comment already exists")
return super(MyFormView, self).dispatch(request, *args, **kwargs)
EDIT This is a good link describing the various ways you can decorate your class based view to add permission and user checking
I wrote this mixin
class PermissionCheckMixin(object):
def __init__(self, perm=None, obj=None):
self.perm = perm
self.obj = obj
def dispatch(self, request, *args, **kwargs):
if request.user.is_anonymous():
if request.is_ajax():
return JSONResponseForbidden()
else:
return HttpResponseForbidden()
elif request.user.is_authenticated():
if self.perm:
if request.user.has_perm(self.perm, self.obj):
return super(PermissionCheckMixin, self).dispatch(request, *args, **kwargs)
else:
if request.is_ajax():
return JSONResponseForbidden()
else:
return HttpResponseForbidden()
else:
if request.is_ajax():
return JSONResponseForbidden()
else:
return HttpResponseForbidden()
And use it like this:
class TestFormView(PermissionCheckMixin, FormView):
...
You can easily adapt this mixin, somehow like this:
def __init__(self, pk):
self.person_pk = pk
def dispatch(self, request, *args, **kwargs):
if request.user.is_authenticated():
if request.user.pk == self.person_pk:
return HttpResponseNotFound()

Django - calling super in form __init__ starts form validation on "GET"

I have a ModelForm in my application in which I want to modify init function to add some customisation.
When init is commented out then the form works and validates properly. When I override init and go to url where the form is rendered it automatically says that "Field xyz is required"
Whats the cause of that problem?
class CreateListView(FormMixin, ListView):
def get_context_data(self, **kwargs):
self.object_list = self.get_queryset()
data = super(ListView, self).get_context_data()
data['object_list'] = self.get_queryset()
data['form'] = self.get_form(self.form_class)
return data
def post(self, request, *args, **kwargs):
form = self.form_class(request.POST)
if form.is_valid():
form = form.save()
return HttpResponseRedirect(form.get_absolute_url())
return self.form_invalid(self.get_context_data())
class ActionGroupForm(forms.ModelForm):
class Meta:
model = ActionGroup
def __init__(self, *args, **kwargs):
super(ActionGroupForm, self).__init__(args, kwargs)
You are missing *, **:
super(ActionGroupForm, self).__init__(*args, **kwargs)

django: how to access current request user in ModelForm?

In my implementation of ModelForm, I would like to perform different types of validation checks based on whether current user is superuser. How can I access the current request user?
If you're using Class Based Views (CBVs) then passing an extra argument in the form constructor (e.g. in get_forms_class) or in form_class will not work, as <form> object is not callable will be shown.
The solution for CBVs is to use get_form_kwargs(), e.g.:
views.py:
class MyUpdateView(UpdateView):
model = MyModel
form_class = MyForm
# Sending user object to the form, to verify which fields to display/remove (depending on group)
def get_form_kwargs(self):
kwargs = super(MyUpdateView, self).get_form_kwargs()
kwargs.update({'user': self.request.user})
return kwargs
forms.py:
class MyForm(forms.ModelForm):
def __init__(self, *args, **kwargs):
self.user = kwargs.pop('user') # To get request.user. Do not use kwargs.pop('user', None) due to potential security hole
super(MyForm, self).__init__(*args, **kwargs)
# If the user does not belong to a certain group, remove the field
if not self.user.groups.filter(name__iexact='mygroup').exists():
del self.fields['confidential']
you can pass the user object as an extra argument in the form constructor.
e.g.
f = MyForm(user=request.user)
and the constructor will look like:
class MyForm(forms.ModelForm):
def __init__(self, *args, **kwargs):
self.user = kwargs.pop('user',None)
super(MyForm, self).__init__(*args, **kwargs)
and then use user in the clean_XX forms as you wish
My small addition,
I had a requirement where one of the model choice fields of the form is dependent on the request.user, and it took a while to take my head around.
The idea is that
you need to have a __init__ method in the model form class,
and you access the request or other parameters from the arguments of the __init__ method,
then you need to call the super constructor to new up the form class
and then you set the queryset of the required field
code sample
class CsvUploadForm(forms.Form):
def __init__(self, *args, **kwargs):
user = kwargs.pop('user')
super(CsvUploadForm, self).__init__(*args, **kwargs)
self.fields['lists'].queryset = List.objects.filter(user=user)
lists = forms.ModelChoiceField(queryset=None, widget=forms.Select, required=True)
as you can see, the lists variable is dependent on the current user, which is available via request object, so we set the queryset of the field as null, and its assigned dynamically from the constructor later.
Take a look into the order of the statements in the above code
you can pass the user variable like this from the view file
form = CsvUploadForm(user=request.user)
or with other POST, FILE data like below
form = CsvUploadForm(request.POST, request.FILES, user=request.user)
You may reference the user object using the instance attribute within the instance it self.
Ex; self.instance.user
class StatusForm(ModelForm):
# def __init__(self, *args, **kwargs):
# self.user = kwargs.pop('user', None)
# super(StatusForm, self).__init__(*args, **kwargs)
class Meta:
model = Status
fields = [
'user',
'content',
'image'
]
def clean_content(self):
content = self.cleaned_data.get("content", None)
if len(content) > 240:
raise ValidationError(f"Hey {self.instance.user.username}, the content is too long")
return content
This worked for me, when I am not sending form in context explicitly in get_context_data:
views.py
class MyView(FormView):
model = MyModel
form_class = MyForm
def get_form_kwargs(self):
kwargs = super(MyView, self).get_form_kwargs()
kwargs.update({'user': self.request.user})
return kwargs
form.py
class MyForm(forms.ModelForm):
def __init__(self, *args, **kwargs):
self.user = kwargs.pop('user')
super(MyForm, self).__init__(*args, **kwargs)
if not self.user.groups.filter(name__iexact='t1_group').exists():
del self.fields['test_obj']
When sending form explicitly in get_context_data we can use and this is forms.Form :
views.py
class MyView(FormView):
model = MyModel
form_class = MyForm
def get_context_data(self, **kwargs):
context = super(MyView, self).get_context_data(**kwargs)
context['form'] = self.form_class(self.request.user)
return context
forms.py
class MyForm(forms.Form):
def __init__(self, user,*args, **kwargs):
super(MyForm, self).__init__(*args, **kwargs)
if not user.groups.filter(name__iexact='t1_group').exists():
del self.fields['test_obj']