-
Notifications
You must be signed in to change notification settings - Fork 33
[DJ07] Do not set fields to '__all__' on ModelForm, use fields instead
Rocio Aramberri edited this page Jun 13, 2021
·
4 revisions
When using a ModelForm
it is possible to set the field's value to the special value '__all__'
to indicate that all the Model fields should be included on the form.
Even though it is practical, it is not recommended due to security concerns. Any new field that is added to the model will be automatically exposed for modification.
Instead, you should explicitly specify each of the fields that you want to be included on the ModelForm
.
class PostForm(ModelForm):
class Meta:
model = Post
fields = '__all__'
from django.forms import ModelForm
class PostForm(ModelForm):
class Meta:
model = Post
fields = ['title', 'content']
https://docs.djangoproject.com/en/3.0/topics/forms/modelforms/#selecting-the-fields-to-use