As pointed out in this answer, Django 1.9 added the Field.disabled attribute:
The disabled boolean argument, when set to True, disables a form field using the disabled HTML attribute so that it won’t be editable by users. Even if a user tampers with the field’s value submitted to the server, it will be ignored in favor of the value from the form’s initial data.
With Django 1.8 and earlier, to disable entry on the widget and prevent malicious POST hacks you must scrub the input in addition to setting the readonly
attribute on the form field:
class ItemForm(ModelForm):
def __init__(self, *args, **kwargs):
super(ItemForm, self).__init__(*args, **kwargs)
instance = getattr(self, 'instance', None)
if instance and instance.pk:
self.fields['sku'].widget.attrs['readonly'] = True
def clean_sku(self):
instance = getattr(self, 'instance', None)
? if instance and instance.pk:
? ? return instance.sku
? else:
? ? return self.cleaned_data['sku']
Or, replace if instance and instance.pk
with another condition indicating you're editing. You could also set the attribute disabled
on the input field, instead of readonly
.
The clean_sku
function will ensure that the readonly
value won't be overridden by a POST
.
Otherwise, there is no built-in Django form field which will render a value while rejecting bound input data. If this is what you desire, you should instead create a separate ModelForm
that excludes the uneditable field(s), and just print them inside your template.
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…