Easy way to make all form fields read only?

[Matthew Woodward]

Semi-new to Django and working on my first "real" app, and I have a need based on the user's credentials to display forms as either editable or read-only. (Note this doesn't have anything to do with the Django admin in case that has any bearing on the discussion.)

Is there some fancy whiz-bang filter or middleware-type doo-dad (you can tell I'm still learning all the terminology) that would easily make all form fields read only?

I thought about using javascript (this is an internal app so we can mandate javascript be enabled) but before I went that route figured I'd ask if anyone has had to do this and how they approached it.

Personally I think it's weird to show someone a form they can't edit as opposed to just dumping them to a static display page, but wasn't my call.

Thanks!

--
Matthew Woodward
ma...@mattwoodward.com
http://blog.mattwoodward.com
identi.ca / Twitter: @mpwoodward

Please do not send me proprietary file formats such as Word, PowerPoint, etc. as attachments.
http://www.gnu.org/philosophy/no-word-attachments.html

[Bill Freeman]

On Mon, Oct 29, 2012 at 8:04 PM, Matthew Woodward <ma...@mattwoodward.com> wrote:
> Semi-new to Django and working on my first "real" app, and I have a need
> based on the user's credentials to display forms as either editable or
> read-only. (Note this doesn't have anything to do with the Django admin in
> case that has any bearing on the discussion.)
>
> Is there some fancy whiz-bang filter or middleware-type doo-dad (you can
> tell I'm still learning all the terminology) that would easily make all form
> fields read only?
>
> I thought about using javascript (this is an internal app so we can mandate
> javascript be enabled) but before I went that route figured I'd ask if
> anyone has had to do this and how they approached it.
>
> Personally I think it's weird to show someone a form they can't edit as
> opposed to just dumping them to a static display page, but wasn't my call.
>
> Thanks!
>
> --

You *might* be able to do this with a class that you add to the form tag
when you're read only, and CSS rules for the various types of inputs that
make them disabled when used as a descendent of something with that
class. You should still, of course, protect in the view against a disallowed
user submitting the form -- we all know that bad guys can use firebug to
modify the DOM, right? Another protective hack would be to omit the
CSRF token when the form is read only.

Bill

[Jirka Vejrazka]

On the UI side, you can set the "readonly" property on form fields.
This will prevent the field from being edited in a browser (I think so
- done that only once on a small internal project).

However, we warned - if *some* of your users can edit and submit the
form, you should also introduce server-side check testing if user is
allowed to edit fields. Making form fields read only won't prevent
anyone from actually submitting changed data (as it's just a
client-side control which can be easily worked around)

HTH

Jirka

[Matt Woodward]

On Tuesday, October 30, 2012 1:36:19 AM UTC-7, elena wrote:

How are you rendering the form? Are you using `forms.Form`?

We're using a ModelForm specifically.

 

Do you mean "user's credentials" from `django.contrib.auth`?

Actually this is a custom user object -- users authenticate against Active Directory and we didn't yet look into tying that contrib.auth.user. Probably will do that on another phase of this app on Django 1.5 since that'll be a bit more flexible for our needs.

Thanks.

[Matt Woodward]

On Tuesday, October 30, 2012 7:09:05 AM UTC-7, JirkaV wrote:

On the UI side, you can set the "readonly" property on form fields.
This will prevent the field from being edited in a browser (I think so
- done that only once on a small internal project).

Thanks -- I probably should have elaborated a bit more to say what I'm looking for (that may not exist) is a way of not having to do a user check on every single field and set the readonly flag individually, particularly since (at least based on my knowledge thus far) that gets messy given that we're using ModelForm and trying to render the fields with a simple template tag as much as possible. I haven't looked into whether or not that could be conditionally added as an attribute in the ModelForm, but that was another thought that crossed my mind.

 

However, we warned - if *some* of your users can edit and submit the
form, you should also introduce server-side check testing if user is
allowed to edit fields. Making form fields read only won't prevent
anyone from actually submitting changed data (as it's just a
client-side control which can be easily worked around)

Right, definitely will be doing this as well. Mostly the readonly state on the form is a visual/styling thing and also simply so there's no perception that people can edit things when they can't. Very good point to bring up though, and we'll definitely be checking again on the server side since as others have pointed out people can manipulate the DOM if they really want to wreak havoc. Thankfully this is an internal app which mitigates some of the danger, and certainly if this was a public app I would have fought a lot harder to not have a non-editable form be the way people view records.

Thanks!

[Matt Woodward]

On Tuesday, October 30, 2012 5:20:44 AM UTC-7, ke1g wrote:

Another protective hack would be to omit the
CSRF token when the form is read only.

Thanks -- interesting idea! Ultimate goal is for the user to be able to tell they can't edit the form via the fields being read only (which applies a different style via the CSS) but that's a really interesting additional piece to potentially throw into the mix.

[Paul]

I used to invest something similar; i wanted to to built a read view next to an update view that looks identical except for that read is obviously read-only. I used crispy-forms to do just that; recently an UneditableField (Layout) was added next to Field.

You do however either need to enumerate the model fields in a layout

Paul Bormans

[Elena Williams]

I was also going to suggest using crispy forms -- having used it on a recent project I'd strongly recommend it (it's great when it's plugged in to  existing stylings such as: uni-form or bootstrap).

I've used it with ModelForm using Layout() and Field() and it works a treat.

---
Elena :)
@elequ

04022 90172

--
You received this message because you are subscribed to the Google Groups "Django users" group.

To view this discussion on the web visit https://groups.google.com/d/msg/django-users/-/5av7W0YQoS8J.

To post to this group, send email to django...@googlegroups.com.
To unsubscribe from this group, send email to django-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.

[Amyth Arora]

I would suggest you adding Boolean field to your UserProfile model like is_authorized = models.BooleanField(default=False)

and then in the templates do something like:

{% if user.is_authorized %}

<!-- Show the form here -->

{% else %}

<!-- Show the information here -->

--
Thanks & Regards
----------------------------

Amyth [Admin - Techstricks]
Email - aroras....@gmail.com, ad...@techstricks.com
Twitter - @mytharora
http://techstricks.com/

[Matt Woodward]

On Wednesday, October 31, 2012 8:40:10 PM UTC-7, elena wrote:

I was also going to suggest using crispy forms -- having used it on a recent project I'd strongly recommend it (it's great when it's plugged in to  existing stylings such as: uni-form or bootstrap).

I've used it with ModelForm using Layout() and Field() and it works a treat.

Awesome -- thanks for the recommendation. I'll check it out.

[Matt Woodward]

On Thursday, November 1, 2012 4:33:47 AM UTC-7, Amyth wrote:

I would suggest you adding Boolean field to your UserProfile model like is_authorized = models.BooleanField(default=False)

Cool -- thanks for the suggestion. As I've said I'm new to the Django world but this community rocks! :-) Really appreciate all the suggestions and tips I'm getting so far.