Handling Disabled & Readonly Fields

[pawl]

Currently, if you create a field with {{ form.myfield(readonly=true) }} or {{ form.myfield(disabled=true) }} you still need to do this to prevent the disabled/readonly fields from getting saved:

def edit_team():
    form = TeamForm(request.POST, obj=team)
    del form.myfield
    if request.POST and form.validate():
        form.populate_obj(team)
        return redirect('/teams')
    return render('edit_team.html')

Would it cause any problems if WTForms deleted disabled/readonly fields from the form by default (to improve security)?

[crast]

This is intentional

Read my post here: http://stackoverflow.com/a/16576294/244393
(also links etc)

[cancan101]

I read the SO post and the link about read only fields but I still don't get why this can't be done using a flag on the field. I am looking at the code here:

wtforms/src/wtforms/form.py

Lines 79 to 80 in 3d5af96

	for name, field in iteritems(self._fields):
	field.populate_obj(obj, name)

and it seems like there should be some way for the field to skip over setting the value on the object (regardless of whatever is received from the browser).

[augnustin]

👍 with @cancan101 comment:

why not adding a:

email = StringField('Email', [validators.required()], protected=True)

that would make sure email can't be populated when calling populate_obj?