Django: How to set a hidden field on a generic create view?

Question

I\'m running Django 1.6.x

To extend my user I\'ve added another model storing the data:

class UserProfile (models.Model):
    user = models.ForeignK         


        

Answer 1

class UserProfileCreateView(CreateView):
    def form_valid(self, form):
         self.object = form.save(commit=False)
         self.object.user = self.request.user
         self.object.save()
         return super(ModelFormMixin, self).form_valid(form)

Answer 2

You can do it that way:

• get user from request object.
• overwrite form_valid method on your UserProfileCreateView class,
• attach user to form instance and save it.

class UserProfileCreateView(CreateView):
    model = UserProfile
    fields = ['height']

     def form_valid(self, form):
         user = self.request.user
         form.instance.user = user
         return super(UserProfileCreateView, self).form_valid(form)

This code is for Python 2.7.x

Answer 3

To avoid gottcha's like must be a “User” instance error you would want to try this.

 def form_valid(self, form):
        owner = self.request.user
        print("Bot owner1", owner)
        tenant = get_object_or_404(Tenant, user=owner)
        print("Bot owner2 ", tenant)
        form.instance.tenant = tenant

    return super().form_valid(form)

Turned out that

print("Bot owner1", owner)

and

print("Bot owner2 ", tenant)

have different results.

Any other approach besides the form_valid method could pose a security risk. i.e I could edit the initial value by inspecting element on your browser and put my new value. If your code does not validate my entry Bang!!!Bang!! you're hacked.