[1.0.X] Fixed #10643: fixed the formtools security hash to handle allowed empty forms or forms without changed data. Backport of [10753] from trunk.

git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.0.X@10755 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Jacob Kaplan-Moss 2009-05-12 22:03:32 +00:00
parent 08577ab0f1
commit cc96ed9ecd
2 changed files with 28 additions and 7 deletions

View File

@ -110,15 +110,30 @@ class SecurityHashTests(unittest.TestCase):
leading/trailing whitespace so as to be friendly to broken browsers that leading/trailing whitespace so as to be friendly to broken browsers that
submit it (usually in textareas). submit it (usually in textareas).
""" """
class TestForm(forms.Form): f1 = HashTestForm({'name': 'joe', 'bio': 'Nothing notable.'})
name = forms.CharField() f2 = HashTestForm({'name': ' joe', 'bio': 'Nothing notable. '})
bio = forms.CharField()
f1 = TestForm({'name': 'joe', 'bio': 'Nothing notable.'})
f2 = TestForm({'name': ' joe', 'bio': 'Nothing notable. '})
hash1 = utils.security_hash(None, f1) hash1 = utils.security_hash(None, f1)
hash2 = utils.security_hash(None, f2) hash2 = utils.security_hash(None, f2)
self.assertEqual(hash1, hash2) self.assertEqual(hash1, hash2)
def test_empty_permitted(self):
"""
Regression test for #10643: the security hash should allow forms with
empty_permitted = True, or forms where data has not changed.
"""
f1 = HashTestBlankForm({})
f2 = HashTestForm({}, empty_permitted=True)
hash1 = utils.security_hash(None, f1)
hash2 = utils.security_hash(None, f2)
self.assertEqual(hash1, hash2)
class HashTestForm(forms.Form):
name = forms.CharField()
bio = forms.CharField()
class HashTestBlankForm(forms.Form):
name = forms.CharField(required=False)
bio = forms.CharField(required=False)
# #
# FormWizard tests # FormWizard tests

View File

@ -18,10 +18,16 @@ def security_hash(request, form, *args):
data = [] data = []
for bf in form: for bf in form:
value = bf.field.clean(bf.data) or '' # Get the value from the form data. If the form allows empty or hasn't
# changed then don't call clean() to avoid trigger validation errors.
if form.empty_permitted and not form.has_changed():
value = bf.data or ''
else:
value = bf.field.clean(bf.data) or ''
if isinstance(value, basestring): if isinstance(value, basestring):
value = value.strip() value = value.strip()
data.append((bf.name, value)) data.append((bf.name, value))
data.extend(args) data.extend(args)
data.append(settings.SECRET_KEY) data.append(settings.SECRET_KEY)