Home/ Questions/Q 9078211
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-16T19:33:48+00:00

I have a Django app where users submit orders for payment. Clearly, security is

  • 0

I have a Django app where users submit orders for payment. Clearly, security is important. I want to minimise the amount of code that I have to write, to avoid introducing any security holes, and ease maintenance.

The model is simple:

class Order(models.Model):
    user = models.ForeignKey(User)
    created = models.DateTimeField()
    paid = models.DateTimeField(null=True, blank=True)
    items = models.ManyToManyField(Item)

I’m using a CreateView to create instances of Order:

class OrderView(CreateView):
    model = Order
    form_class = OrderForm

I want to enforce values for certain fields in those instances. For example, I want the instance user field set to the current logged-in user. I don’t want any possibility that the user can change the value of this field, so I don’t want it to appear in the form at all. Therefore I use a custom ModelForm to remove these fields from the form:

class OrderForm(forms.ModelForm):
    class Meta:
        model = Order
        # For security, we control exactly which fields are placed
        # in the form, rather than excluding some:
        fields = ('items',)

Now I want the newly created Order instances to have the user field set to the current logged-in user. I can’t find any documentation about what is the best way to do this.

(A) I can override the form’s save() method to modify the object before saving, but it feels like this code doesn’t belong in the form, which doesn’t know anything about the user field. I also don’t have access to the request here, which I’d need to determine the current user. But it might look like this:

class OrderForm(forms.ModelForm):
    def save(self, commit=True):
        instance = super(OrderForm, self).save(commit=False)
        instance.user = get_request_magic().user
        if commit:
            instance.save()
        return instance

(B) I can override the view’s form_valid method to save the object with commit=False, like a class-based version of this question. But I can’t call the superclass method directly, because it saves the object with no way to disable commit, so I have to manually skip a generation of form_valid which is nasty. Apart from that complaint, this does look like the best way I’ve found so far:

class OrderView(CreateView):
    def form_valid(self, form):
        self.object = form.save(commit=False)
        self.object.user = self.request.user
        self.object.save()
        return super(ModelFormMixin, self).form_valid(form)

(C) I could write a replacement for CreateView that adds a hook to allow objects to be changed before saving them. But that feels like more boilerplate and duplication.

(D) I can’t provide an initial value, because there’s no form field to put it in, so it will be ignored.

Any other ideas? If (B) the best option, is there any way around the hacky way of manually specifying which superclass’ form_valid method I want to call?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Django user Charettes answered the question for me:

    You can achieve this by overriding form_valid:

    class OrderCreateViewMixin(CreateView):
    def form_valid(self, form):
        form.instance.user = request.user
        return super(OrderCreateViewMixin, self).form_valid(form)

    Which pointed me towards the right part of the documentation:

    class AuthorCreate(CreateView):
    form_class = AuthorForm
    model = Author

    def form_valid(self, form):
        form.instance.created_by = self.request.user
        return super(AuthorCreate, self).form_valid(form)

    This is definitely the simplest and cleanest answer I’ve found so far. It doesn’t require modifying the form in any way, although it does directly access its instance member which is a bit ugly. However, at least it’s officially documented, so it’s unlikely to break.

    • 0