no bogus post request can be made now in addmentor page.
--- a/taskapp/forms/task.py Sun Feb 28 18:31:10 2010 +0530
+++ b/taskapp/forms/task.py Sun Feb 28 19:31:41 2010 +0530
@@ -12,7 +12,7 @@
class myform(forms.Form):
mentor = forms.ChoiceField(choices=choices, required=True)
- form = myform(instance=instance) if instance else myform()
+ form = myform(instance) if instance else myform()
return form
class ClaimTaskForm(forms.ModelForm):
@@ -20,12 +20,12 @@
model = Claim
fields = ['message']
-def ChoiceForm(choices):
+def ChoiceForm(choices, instance=None):
""" return a form object with appropriate choices """
class myform(forms.Form):
choice = forms.ChoiceField(choices=choices, required=True)
- form = myform()
+ form = myform(instance) if instance else myform()
return form
def AddTaskForm(task_choices, is_plain=False):
--- a/taskapp/views/task.py Sun Feb 28 18:31:10 2010 +0530
+++ b/taskapp/views/task.py Sun Feb 28 19:31:41 2010 +0530
@@ -1,6 +1,6 @@
from datetime import datetime
-from django.http import HttpResponse
+from django.http import HttpResponse, Http404
from django.shortcuts import render_to_response, redirect
from pytask.taskapp.models import User, Task, Comment, Claim, Credit, Request
@@ -177,18 +177,30 @@
for req in user_pending_requests:
user_list.remove(req.sent_to.all()[0])
- non_mentors = ((_.id,_.username) for _ in user_list)
+ non_mentors = ((_.id, _.username) for _ in user_list)
+ non_mentor_ids = [ str(a_user.id) for a_user in user_list ]
## code till must be made elegant and not brute force like above
form = AddMentorForm(non_mentors)
+
+ context = {
+ 'user':user,
+ 'pending_requests':pending_requests,
+ 'form':form,
+ }
+
if request.method == "POST":
- uid = request.POST['mentor']
- new_mentor = User.objects.get(id=uid)
- reqMentor(task, new_mentor, user)
- return redirect(task_url)
+ data = request.POST
+ uid = data.get('mentor', None)
+ if uid in non_mentor_ids:
+ new_mentor = User.objects.get(id=int(uid))
+ reqMentor(task, new_mentor, user)
+ return redirect('/task/addmentor/tid=%s'%task.id)
+ else:
+ ## bogus post request
+ raise Http404
else:
- return render_to_response('task/addmentor.html', {'user':user,'pending_requests':pending_requests,'form':form, 'errors':errors})
-
+ return render_to_response('task/addmentor.html', context)
else:
return show_msg(user, 'You are not authorised to add mentors for this task', task_url, 'view the task')
--- a/templates/task/addmentor.html Sun Feb 28 18:31:10 2010 +0530
+++ b/templates/task/addmentor.html Sun Feb 28 19:31:41 2010 +0530
@@ -1,5 +1,6 @@
{% extends 'base.html' %}
{% block content %}
+ <a href="/task/view/tid={{task.id}}">Click here</a> to return to the task.
<form action="" method="post">
{{form.as_table}}
<input type="submit" value="submit">