'Django "fields" attribute of user forms (UserCreationForm and UserChangeForm)
According to Django docs:
It is strongly recommended that you explicitly set all fields that should be edited in the form using the fields attribute.
I have a custom user model, so I overrode UserCreationForm and UserChangeForm, but I'm not sure about the fields attribute of the Meta class.
The admin site will be editing all fields of a user; so in UserChangeForm, do I have to include all fields in this attribute? like this:
class Meta:
model = User
fields = (
"email",
"password",
"is_active",
"is_staff",
"is_superuser",
"date_joined",
"last_login",
"groups",
"user_permissions",
# maybe there are others that I'm missing?
)
Or in this case, it's safe to use the '__all__' shortcut?
The admin site uses UserChangeForm for editing user attributes (including permissions and so); so these need to be included in the fields attribute. But does this mean using the UserChangeForm anywhere other than the admin site, causes those security issues mentioned in the docs?
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|