I build an parent child relationship comment section. Where I am rending sno which is parent id as a hidden input fields in my html. If user inspect html in his browser then he can see the parent id. is there any way to encrypt this parent id in my html so user can’t see the parent id or is there any way I can save the parent id in views without showing in html? here is my code:
class BlogComment(models.Model):
blog = models.ForeignKey(Blog,on_delete=models.CASCADE,null=True, blank=True,related_name="blogcomment_blog")
parent = models.ForeignKey('self', on_delete=models.CASCADE,
null=True, blank=True, related_name='children')
sno = models.AutoField(primary_key=True)
#....my others fields
froms.py
class CommentFrom(forms.ModelForm):
captcha = CaptchaField()
class Meta:
model = BlogComment
fields = ['name','email','comment','parent']
views.py
....my others code
if comment_form.is_valid():
isinstance = comment_form.save(commit=False)
isinstance.save()
....my others code
HTML
**this forms inside my for loop where I added this below of every reply.**
<form method="POST">
{% csrf_token %}
<input type="text" name="name" required>
<input type="hidden" name="parent" id="parent_id" value="{{i.sno}}">
#I want to encrypt or prevent to forms submission if user try to change this value.
.....others fields
</form>
Not in any meaningful way, no. It’s a form field, just like any other
In the view? No. Data saved between views is either in the database or in sessions.
It’s precisely this type of situation that illustrates why you never directly trust data coming from the browser.
As I understand the situation, the person is submitting a comment as a reply or response to a “parent” comment. Changing this value means that the comment they’re making would be applied as a response to a different parent comment.
That creates two possibilities:
- They change it to a parent comment that they should be allowed to respond to.
- They change it to a parent comment that they should not be allowed to respond to.
In the first condition, they would be able to respond to that original parent comment anyway, so are they actually doing anything “wrong” here?
In the second condition, the post handler should be detecting that that user is not allowed to respond to the identified parent, and so should reject the submittal.
1 Like
As you said here I have two options and if I choose second option so how to use post handler for detecting that user is not allowed to change parent id? what is post handler?
In the first condition, they would be able to respond to that original parent comment anyway, so are they actually doing anything “wrong” here?
yes I think they are doing wrong. I want to prevent forms submission if they changed the parent value.
The phrase “post handler” is whatever code is processing the post request - it’s a generic name for your view, regardless of whether it’s a function-based view or class-based view. It’s not something special or different.
It can’t detect that something has been changed. All it can do is determine whether what is submitted is valid.
Now, having said that, you could do something like create a digital signature for the fixed contents on the page. As long as the user can’t figure out how that signature is created from that data, you would be able to detect changes.
KenWhitesell Understood so there is no solution right now? If user want then he can inspect the html then find and change the value of parent id before forms submission.
The user can always change anything in the browser. That’s why you never trust data submitted from the user without validating it.
1 Like
KenWhitesell Exactly. I want to validate this parent id. I am thinking to get parent id via POST data in my views then compare it to my original parent id. something like this:
views.py
#my logic or query for getting parent id
orginal_parent_id = "my orginal parent id"
parent_id = request.POST['parent_id']
....my others code
if comment_form.is_valid():
if orginal_parent_id == orginal_id : #only saving forms if both id are same
comment_form.save()
what you say? any suggestion ?
Doesn’t work that way, sorry. You have no way of saving original_parent_id in the view.
1 Like
KenWhitesell yeah so I think Django should be work on this topic. What your last opinion if actually there is no way to prevent user from changing this parent id from browser? I need to be show this parent id to browser for maintain parent child relationship. it’s okay to showing the parent id to browser but I think it’s not okay if we can’t prevent user to change this parent id.
It’s not a Django issue. The fundamentals here have nothing to do with Django. It’s a basic property of all web transactions. You would encounter this issue if you were using Wordpress, LifeRay, Drupal, Flask, etc, etc, etc.
You have no control over what goes on in the browser. NONE. ZERO. The user always has the final say on what is submitted by the browser.
That’s why everyone makes it a point to emphasize:
You never trust data submitted from the user without validating it.
1 Like