no bogus post request can be made now in addmentor page.
authornishanth
Sun, 28 Feb 2010 19:31:41 +0530
changeset 151 d0cb85ba462a
parent 150 604808d27483
child 152 a65e1ef725dd
no bogus post request can be made now in addmentor page.
taskapp/forms/task.py
taskapp/views/task.py
templates/task/addmentor.html
--- a/taskapp/forms/task.py	Sun Feb 28 18:31:10 2010 +0530
+++ b/taskapp/forms/task.py	Sun Feb 28 19:31:41 2010 +0530
@@ -12,7 +12,7 @@
     
     class myform(forms.Form):
         mentor = forms.ChoiceField(choices=choices, required=True)
-    form = myform(instance=instance) if instance else myform()
+    form = myform(instance) if instance else myform()
     return form
 
 class ClaimTaskForm(forms.ModelForm):
@@ -20,12 +20,12 @@
         model = Claim
         fields = ['message']
 
-def ChoiceForm(choices):
+def ChoiceForm(choices, instance=None):
     """ return a form object with appropriate choices """
     
     class myform(forms.Form):
         choice = forms.ChoiceField(choices=choices, required=True)
-    form = myform()
+    form = myform(instance) if instance else myform()
     return form
 
 def AddTaskForm(task_choices, is_plain=False):
--- a/taskapp/views/task.py	Sun Feb 28 18:31:10 2010 +0530
+++ b/taskapp/views/task.py	Sun Feb 28 19:31:41 2010 +0530
@@ -1,6 +1,6 @@
 from datetime import datetime
 
-from django.http import HttpResponse
+from django.http import HttpResponse, Http404
 from django.shortcuts import render_to_response, redirect
 
 from pytask.taskapp.models import User, Task, Comment, Claim, Credit, Request
@@ -177,18 +177,30 @@
         for req in user_pending_requests:
             user_list.remove(req.sent_to.all()[0])
             
-        non_mentors = ((_.id,_.username) for _ in user_list)
+        non_mentors = ((_.id, _.username) for _ in user_list)
+        non_mentor_ids = [ str(a_user.id) for a_user in user_list ]
         ## code till must be made elegant and not brute force like above
 
         form = AddMentorForm(non_mentors)
+
+        context = {
+            'user':user,
+            'pending_requests':pending_requests,
+            'form':form,
+        }
+
         if request.method == "POST":
-            uid = request.POST['mentor']
-            new_mentor = User.objects.get(id=uid)
-            reqMentor(task, new_mentor, user)
-            return redirect(task_url)
+            data = request.POST
+            uid = data.get('mentor', None)
+            if uid in non_mentor_ids:
+                new_mentor = User.objects.get(id=int(uid))
+                reqMentor(task, new_mentor, user)
+                return redirect('/task/addmentor/tid=%s'%task.id)
+            else:
+                ## bogus post request
+                raise Http404
         else:
-            return render_to_response('task/addmentor.html', {'user':user,'pending_requests':pending_requests,'form':form, 'errors':errors})
-        
+            return render_to_response('task/addmentor.html', context)
     else:
         return show_msg(user, 'You are not authorised to add mentors for this task', task_url, 'view the task')
     
--- a/templates/task/addmentor.html	Sun Feb 28 18:31:10 2010 +0530
+++ b/templates/task/addmentor.html	Sun Feb 28 19:31:41 2010 +0530
@@ -1,5 +1,6 @@
 {% extends 'base.html' %}
 {% block content %}
+    <a href="/task/view/tid={{task.id}}">Click here</a> to return to the task.
     <form action="" method="post">
     {{form.as_table}}
     <input type="submit" value="submit">