Handling Disabled & Readonly Fields

[pawl]

Currently, if you create a field with {{ form.myfield(readonly=true) }} or {{ form.myfield(disabled=true) }} you still need to do this to prevent the disabled/readonly fields from getting saved:

def edit_team():
    form = TeamForm(request.POST, obj=team)
    del form.myfield
    if request.POST and form.validate():
        form.populate_obj(team)
        return redirect('/teams')
    return render('edit_team.html')

Would it cause any problems if WTForms deleted disabled/readonly fields from the form by default (to improve security)?

[crast]

This is intentional

Read my post here: http://stackoverflow.com/a/16576294/244393
(also links etc)

[cancan101]

I read the SO post and the link about read only fields but I still don't get why this can't be done using a flag on the field. I am looking at the code here: https://github.com/wtforms/wtforms/blob/3d5af963f060add8e42a99bec880321e8d2b41b3/src/wtforms/form.py#L79-L80 and it seems like there should be some way for the field to skip over setting the value on the object (regardless of whatever is received from the browser).

[augnustin]

👍 with @cancan101 comment:

why not adding a:

email = StringField('Email', [validators.required()], protected=True)

that would make sure email can't be populated when calling populate_obj?