Skip to content

[DJ07] Do not set fields to '__all__' on ModelForm, use fields instead

Jump to bottom
Rocio Aramberri edited this page Jun 13, 2021 · 4 revisions

When using a ModelForm it is possible to set the field's value to the special value '__all__' to indicate that all the Model fields should be included on the form.

Even though it is practical, it is not recommended due to security concerns. Any new field that is added to the model will be automatically exposed for modification.

Instead, you should explicitly specify each of the fields that you want to be included on the ModelForm.

Don't

class PostForm(ModelForm):
    class Meta:
        model = Post
        fields = '__all__'

Do

from django.forms import ModelForm

class PostForm(ModelForm):
    class Meta:
        model = Post
        fields = ['title', 'content']

Reference

https://docs.djangoproject.com/en/3.0/topics/forms/modelforms/#selecting-the-fields-to-use

Clone this wiki locally