2012-06-07 22:11:24 +02:00
|
|
|
.. _form-and-field-validation:
|
|
|
|
|
2008-08-24 09:22:30 +02:00
|
|
|
Form and field validation
|
|
|
|
=========================
|
2008-08-24 00:25:40 +02:00
|
|
|
|
|
|
|
Form validation happens when the data is cleaned. If you want to customize
|
|
|
|
this process, there are various places you can change, each one serving a
|
|
|
|
different purpose. Three types of cleaning methods are run during form
|
|
|
|
processing. These are normally executed when you call the ``is_valid()``
|
|
|
|
method on a form. There are other things that can trigger cleaning and
|
|
|
|
validation (accessing the ``errors`` attribute or calling ``full_clean()``
|
|
|
|
directly), but normally they won't be needed.
|
|
|
|
|
|
|
|
In general, any cleaning method can raise ``ValidationError`` if there is a
|
|
|
|
problem with the data it is processing, passing the relevant error message to
|
|
|
|
the ``ValidationError`` constructor. If no ``ValidationError`` is raised, the
|
|
|
|
method should return the cleaned (normalized) data as a Python object.
|
|
|
|
|
|
|
|
If you detect multiple errors during a cleaning method and wish to signal all
|
|
|
|
of them to the form submitter, it is possible to pass a list of errors to the
|
|
|
|
``ValidationError`` constructor.
|
|
|
|
|
2010-01-05 04:56:19 +01:00
|
|
|
Most validation can be done using `validators`_ - simple helpers that can be
|
|
|
|
reused easily. Validators are simple functions (or callables) that take a single
|
|
|
|
argument and raise ``ValidationError`` on invalid input. Validators are run
|
|
|
|
after the field's ``to_python`` and ``validate`` methods have been called.
|
|
|
|
|
|
|
|
Validation of a Form is split into several steps, which can be customized or
|
|
|
|
overridden:
|
|
|
|
|
2011-10-14 02:12:01 +02:00
|
|
|
* The ``to_python()`` method on a Field is the first step in every
|
|
|
|
validation. It coerces the value to correct datatype and raises
|
|
|
|
``ValidationError`` if that is not possible. This method accepts the raw
|
|
|
|
value from the widget and returns the converted value. For example, a
|
|
|
|
FloatField will turn the data into a Python ``float`` or raise a
|
|
|
|
``ValidationError``.
|
|
|
|
|
|
|
|
* The ``validate()`` method on a Field handles field-specific validation
|
|
|
|
that is not suitable for a validator, It takes a value that has been
|
|
|
|
coerced to correct datatype and raises ``ValidationError`` on any error.
|
|
|
|
This method does not return anything and shouldn't alter the value. You
|
|
|
|
should override it to handle validation logic that you can't or don't
|
|
|
|
want to put in a validator.
|
|
|
|
|
|
|
|
* The ``run_validators()`` method on a Field runs all of the field's
|
|
|
|
validators and aggregates all the errors into a single
|
|
|
|
``ValidationError``. You shouldn't need to override this method.
|
|
|
|
|
|
|
|
* The ``clean()`` method on a Field subclass. This is responsible for
|
|
|
|
running ``to_python``, ``validate`` and ``run_validators`` in the correct
|
|
|
|
order and propagating their errors. If, at any time, any of the methods
|
|
|
|
raise ``ValidationError``, the validation stops and that error is raised.
|
|
|
|
This method returns the clean data, which is then inserted into the
|
|
|
|
``cleaned_data`` dictionary of the form.
|
|
|
|
|
|
|
|
* The ``clean_<fieldname>()`` method in a form subclass -- where
|
|
|
|
``<fieldname>`` is replaced with the name of the form field attribute.
|
|
|
|
This method does any cleaning that is specific to that particular
|
|
|
|
attribute, unrelated to the type of field that it is. This method is not
|
|
|
|
passed any parameters. You will need to look up the value of the field
|
|
|
|
in ``self.cleaned_data`` and remember that it will be a Python object
|
|
|
|
at this point, not the original string submitted in the form (it will be
|
|
|
|
in ``cleaned_data`` because the general field ``clean()`` method, above,
|
|
|
|
has already cleaned the data once).
|
|
|
|
|
|
|
|
For example, if you wanted to validate that the contents of a
|
|
|
|
``CharField`` called ``serialnumber`` was unique,
|
|
|
|
``clean_serialnumber()`` would be the right place to do this. You don't
|
|
|
|
need a specific field (it's just a ``CharField``), but you want a
|
|
|
|
formfield-specific piece of validation and, possibly,
|
|
|
|
cleaning/normalizing the data.
|
|
|
|
|
2012-09-07 16:43:55 +02:00
|
|
|
This method should return the cleaned value obtained from cleaned_data,
|
|
|
|
regardless of whether it changed anything or not.
|
2011-10-14 02:12:01 +02:00
|
|
|
|
|
|
|
* The Form subclass's ``clean()`` method. This method can perform
|
|
|
|
any validation that requires access to multiple fields from the form at
|
|
|
|
once. This is where you might put in things to check that if field ``A``
|
|
|
|
is supplied, field ``B`` must contain a valid email address and the
|
|
|
|
like. The data that this method returns is the final ``cleaned_data``
|
|
|
|
attribute for the form, so don't forget to return the full list of
|
|
|
|
cleaned data if you override this method (by default, ``Form.clean()``
|
|
|
|
just returns ``self.cleaned_data``).
|
|
|
|
|
|
|
|
Note that any errors raised by your ``Form.clean()`` override will not
|
|
|
|
be associated with any field in particular. They go into a special
|
|
|
|
"field" (called ``__all__``), which you can access via the
|
|
|
|
``non_field_errors()`` method if you need to. If you want to attach
|
|
|
|
errors to a specific field in the form, you will need to access the
|
|
|
|
``_errors`` attribute on the form, which is `described later`_.
|
|
|
|
|
|
|
|
Also note that there are special considerations when overriding
|
|
|
|
the ``clean()`` method of a ``ModelForm`` subclass. (see the
|
|
|
|
:ref:`ModelForm documentation
|
|
|
|
<overriding-modelform-clean-method>` for more information)
|
2010-05-09 07:49:14 +02:00
|
|
|
|
2008-08-24 00:25:40 +02:00
|
|
|
These methods are run in the order given above, one field at a time. That is,
|
|
|
|
for each field in the form (in the order they are declared in the form
|
|
|
|
definition), the ``Field.clean()`` method (or its override) is run, then
|
|
|
|
``clean_<fieldname>()``. Finally, once those two methods are run for every
|
|
|
|
field, the ``Form.clean()`` method, or its override, is executed.
|
|
|
|
|
2008-10-06 13:21:11 +02:00
|
|
|
Examples of each of these methods are provided below.
|
|
|
|
|
|
|
|
As mentioned, any of these methods can raise a ``ValidationError``. For any
|
|
|
|
field, if the ``Field.clean()`` method raises a ``ValidationError``, any
|
2008-08-24 00:25:40 +02:00
|
|
|
field-specific cleaning method is not called. However, the cleaning methods
|
|
|
|
for all remaining fields are still executed.
|
|
|
|
|
|
|
|
The ``clean()`` method for the ``Form`` class or subclass is always run. If
|
|
|
|
that method raises a ``ValidationError``, ``cleaned_data`` will be an empty
|
|
|
|
dictionary.
|
|
|
|
|
|
|
|
The previous paragraph means that if you are overriding ``Form.clean()``, you
|
|
|
|
should iterate through ``self.cleaned_data.items()``, possibly considering the
|
|
|
|
``_errors`` dictionary attribute on the form as well. In this way, you will
|
|
|
|
already know which fields have passed their individual validation requirements.
|
|
|
|
|
2008-10-06 13:21:11 +02:00
|
|
|
.. _described later:
|
|
|
|
|
|
|
|
Form subclasses and modifying field errors
|
2008-12-22 05:18:00 +01:00
|
|
|
------------------------------------------
|
2008-10-06 13:21:11 +02:00
|
|
|
|
|
|
|
Sometimes, in a form's ``clean()`` method, you will want to add an error
|
|
|
|
message to a particular field in the form. This won't always be appropriate
|
|
|
|
and the more typical situation is to raise a ``ValidationError`` from
|
|
|
|
``Form.clean()``, which is turned into a form-wide error that is available
|
|
|
|
through the ``Form.non_field_errors()`` method.
|
|
|
|
|
|
|
|
When you really do need to attach the error to a particular field, you should
|
2008-12-04 06:37:37 +01:00
|
|
|
store (or amend) a key in the ``Form._errors`` attribute. This attribute is an
|
2008-10-24 09:14:30 +02:00
|
|
|
instance of a ``django.forms.util.ErrorDict`` class. Essentially, though, it's
|
2008-10-06 13:21:11 +02:00
|
|
|
just a dictionary. There is a key in the dictionary for each field in the form
|
|
|
|
that has an error. Each value in the dictionary is a
|
2008-10-24 09:14:30 +02:00
|
|
|
``django.forms.util.ErrorList`` instance, which is a list that knows how to
|
2008-12-04 06:37:37 +01:00
|
|
|
display itself in different ways. So you can treat ``_errors`` as a dictionary
|
2008-10-06 13:21:11 +02:00
|
|
|
mapping field names to lists.
|
|
|
|
|
|
|
|
If you want to add a new error to a particular field, you should check whether
|
2008-12-04 06:37:37 +01:00
|
|
|
the key already exists in ``self._errors`` or not. If not, create a new entry
|
2008-10-06 13:21:11 +02:00
|
|
|
for the given key, holding an empty ``ErrorList`` instance. In either case,
|
|
|
|
you can then append your error message to the list for the field name in
|
|
|
|
question and it will be displayed when the form is displayed.
|
|
|
|
|
2008-12-04 06:37:37 +01:00
|
|
|
There is an example of modifying ``self._errors`` in the following section.
|
2008-10-06 13:21:11 +02:00
|
|
|
|
|
|
|
.. admonition:: What's in a name?
|
|
|
|
|
|
|
|
You may be wondering why is this attribute called ``_errors`` and not
|
|
|
|
``errors``. Normal Python practice is to prefix a name with an underscore
|
|
|
|
if it's not for external usage. In this case, you are subclassing the
|
|
|
|
``Form`` class, so you are essentially writing new internals. In effect,
|
|
|
|
you are given permission to access some of the internals of ``Form``.
|
2008-12-23 05:13:14 +01:00
|
|
|
|
2008-10-06 13:21:11 +02:00
|
|
|
Of course, any code outside your form should never access ``_errors``
|
|
|
|
directly. The data is available to external code through the ``errors``
|
|
|
|
property, which populates ``_errors`` before returning it).
|
|
|
|
|
|
|
|
Another reason is purely historical: the attribute has been called
|
|
|
|
``_errors`` since the early days of the forms module and changing it now
|
|
|
|
(particularly since ``errors`` is used for the read-only property name)
|
|
|
|
would be inconvenient for a number of reasons. You can use whichever
|
|
|
|
explanation makes you feel more comfortable. The result is the same.
|
|
|
|
|
|
|
|
Using validation in practice
|
2008-12-22 05:18:00 +01:00
|
|
|
----------------------------
|
2008-08-24 00:25:40 +02:00
|
|
|
|
2008-10-06 13:21:11 +02:00
|
|
|
The previous sections explained how validation works in general for forms.
|
|
|
|
Since it can sometimes be easier to put things into place by seeing each
|
|
|
|
feature in use, here are a series of small examples that use each of the
|
|
|
|
previous features.
|
|
|
|
|
2010-01-05 04:56:19 +01:00
|
|
|
.. _validators:
|
|
|
|
|
|
|
|
Using validators
|
|
|
|
~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
Django's form (and model) fields support use of simple utility functions and
|
2010-09-07 22:19:41 +02:00
|
|
|
classes known as validators. These can be passed to a field's constructor, via
|
2010-01-05 04:56:19 +01:00
|
|
|
the field's ``validators`` argument, or defined on the Field class itself with
|
|
|
|
the ``default_validators`` attribute.
|
|
|
|
|
|
|
|
Simple validators can be used to validate values inside the field, let's have
|
2013-03-14 16:19:59 +01:00
|
|
|
a look at Django's ``SlugField``::
|
2010-01-05 04:56:19 +01:00
|
|
|
|
2013-05-19 11:15:35 +02:00
|
|
|
from django.forms import CharField
|
|
|
|
from django.core import validators
|
|
|
|
|
2013-03-14 16:19:59 +01:00
|
|
|
class SlugField(CharField):
|
|
|
|
default_validators = [validators.validate_slug]
|
2010-01-05 04:56:19 +01:00
|
|
|
|
2013-03-14 16:19:59 +01:00
|
|
|
As you can see, ``SlugField`` is just a ``CharField`` with a customized
|
|
|
|
validator that validates that submitted text obeys to some character rules.
|
|
|
|
This can also be done on field definition so::
|
2010-01-05 04:56:19 +01:00
|
|
|
|
2013-03-14 16:19:59 +01:00
|
|
|
slug = forms.SlugField()
|
2010-01-05 04:56:19 +01:00
|
|
|
|
|
|
|
is equivalent to::
|
|
|
|
|
2013-03-14 16:19:59 +01:00
|
|
|
slug = forms.CharField(validators=[validators.validate_slug])
|
2010-01-05 04:56:19 +01:00
|
|
|
|
|
|
|
|
2008-10-06 13:21:11 +02:00
|
|
|
Form field default cleaning
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
Let's firstly create a custom form field that validates its input is a string
|
2011-04-01 18:10:22 +02:00
|
|
|
containing comma-separated email addresses. The full class looks like this::
|
2008-08-24 00:25:40 +02:00
|
|
|
|
|
|
|
from django import forms
|
2010-01-05 04:56:19 +01:00
|
|
|
from django.core.validators import validate_email
|
2008-08-24 00:25:40 +02:00
|
|
|
|
|
|
|
class MultiEmailField(forms.Field):
|
2010-01-05 04:56:19 +01:00
|
|
|
def to_python(self, value):
|
|
|
|
"Normalize data to a list of strings."
|
|
|
|
|
|
|
|
# Return an empty list if no input was given.
|
2008-08-24 00:25:40 +02:00
|
|
|
if not value:
|
2010-01-05 04:56:19 +01:00
|
|
|
return []
|
|
|
|
return value.split(',')
|
|
|
|
|
|
|
|
def validate(self, value):
|
|
|
|
"Check if value consists only of valid emails."
|
|
|
|
|
|
|
|
# Use the parent's handling of required fields, etc.
|
|
|
|
super(MultiEmailField, self).validate(value)
|
2008-10-06 13:21:11 +02:00
|
|
|
|
2010-01-05 04:56:19 +01:00
|
|
|
for email in value:
|
|
|
|
validate_email(email)
|
2008-08-24 00:25:40 +02:00
|
|
|
|
2010-01-05 04:56:19 +01:00
|
|
|
Every form that uses this field will have these methods run before anything
|
|
|
|
else can be done with the field's data. This is cleaning that is specific to
|
|
|
|
this type of field, regardless of how it is subsequently used.
|
2008-10-06 13:21:11 +02:00
|
|
|
|
|
|
|
Let's create a simple ``ContactForm`` to demonstrate how you'd use this
|
|
|
|
field::
|
2008-08-24 00:25:40 +02:00
|
|
|
|
|
|
|
class ContactForm(forms.Form):
|
|
|
|
subject = forms.CharField(max_length=100)
|
|
|
|
message = forms.CharField()
|
2008-10-06 13:21:11 +02:00
|
|
|
sender = forms.EmailField()
|
|
|
|
recipients = MultiEmailField()
|
2008-08-24 00:25:40 +02:00
|
|
|
cc_myself = forms.BooleanField(required=False)
|
2008-10-06 13:21:11 +02:00
|
|
|
|
|
|
|
Simply use ``MultiEmailField`` like any other form field. When the
|
|
|
|
``is_valid()`` method is called on the form, the ``MultiEmailField.clean()``
|
2010-01-05 04:56:19 +01:00
|
|
|
method will be run as part of the cleaning process and it will, in turn, call
|
|
|
|
the custom ``to_python()`` and ``validate()`` methods.
|
2008-10-06 13:21:11 +02:00
|
|
|
|
|
|
|
Cleaning a specific field attribute
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
Continuing on from the previous example, suppose that in our ``ContactForm``,
|
|
|
|
we want to make sure that the ``recipients`` field always contains the address
|
|
|
|
``"fred@example.com"``. This is validation that is specific to our form, so we
|
|
|
|
don't want to put it into the general ``MultiEmailField`` class. Instead, we
|
|
|
|
write a cleaning method that operates on the ``recipients`` field, like so::
|
|
|
|
|
2013-05-19 11:15:35 +02:00
|
|
|
from django import forms
|
|
|
|
|
2008-10-06 13:21:11 +02:00
|
|
|
class ContactForm(forms.Form):
|
|
|
|
# Everything as before.
|
|
|
|
...
|
|
|
|
|
|
|
|
def clean_recipients(self):
|
|
|
|
data = self.cleaned_data['recipients']
|
|
|
|
if "fred@example.com" not in data:
|
|
|
|
raise forms.ValidationError("You have forgotten about Fred!")
|
|
|
|
|
|
|
|
# Always return the cleaned data, whether you have changed it or
|
|
|
|
# not.
|
|
|
|
return data
|
|
|
|
|
|
|
|
Cleaning and validating fields that depend on each other
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
Suppose we add another requirement to our contact form: if the ``cc_myself``
|
|
|
|
field is ``True``, the ``subject`` must contain the word ``"help"``. We are
|
|
|
|
performing validation on more than one field at a time, so the form's
|
|
|
|
``clean()`` method is a good spot to do this. Notice that we are talking about
|
|
|
|
the ``clean()`` method on the form here, whereas earlier we were writing a
|
|
|
|
``clean()`` method on a field. It's important to keep the field and form
|
|
|
|
difference clear when working out where to validate things. Fields are single
|
|
|
|
data points, forms are a collection of fields.
|
|
|
|
|
|
|
|
By the time the form's ``clean()`` method is called, all the individual field
|
|
|
|
clean methods will have been run (the previous two sections), so
|
|
|
|
``self.cleaned_data`` will be populated with any data that has survived so
|
|
|
|
far. So you also need to remember to allow for the fact that the fields you
|
|
|
|
are wanting to validate might not have survived the initial individual field
|
|
|
|
checks.
|
|
|
|
|
2011-01-30 20:09:44 +01:00
|
|
|
There are two ways to report any errors from this step. Probably the most
|
2008-10-06 13:21:11 +02:00
|
|
|
common method is to display the error at the top of the form. To create such
|
|
|
|
an error, you can raise a ``ValidationError`` from the ``clean()`` method. For
|
|
|
|
example::
|
|
|
|
|
2013-05-19 11:15:35 +02:00
|
|
|
from django import forms
|
|
|
|
|
2008-10-06 13:21:11 +02:00
|
|
|
class ContactForm(forms.Form):
|
|
|
|
# Everything as before.
|
|
|
|
...
|
|
|
|
|
|
|
|
def clean(self):
|
2012-02-04 17:05:30 +01:00
|
|
|
cleaned_data = super(ContactForm, self).clean()
|
2008-10-06 13:21:11 +02:00
|
|
|
cc_myself = cleaned_data.get("cc_myself")
|
|
|
|
subject = cleaned_data.get("subject")
|
|
|
|
|
|
|
|
if cc_myself and subject:
|
|
|
|
# Only do something if both fields are valid so far.
|
|
|
|
if "help" not in subject:
|
|
|
|
raise forms.ValidationError("Did not send for 'help' in "
|
|
|
|
"the subject despite CC'ing yourself.")
|
|
|
|
|
|
|
|
# Always return the full collection of cleaned data.
|
|
|
|
return cleaned_data
|
|
|
|
|
|
|
|
In this code, if the validation error is raised, the form will display an
|
|
|
|
error message at the top of the form (normally) describing the problem.
|
|
|
|
|
2012-02-04 17:05:30 +01:00
|
|
|
Note that the call to ``super(ContactForm, self).clean()`` in the example code
|
|
|
|
ensures that any validation logic in parent classes is maintained.
|
|
|
|
|
2008-10-06 13:21:11 +02:00
|
|
|
The second approach might involve assigning the error message to one of the
|
|
|
|
fields. In this case, let's assign an error message to both the "subject" and
|
|
|
|
"cc_myself" rows in the form display. Be careful when doing this in practice,
|
|
|
|
since it can lead to confusing form output. We're showing what is possible
|
|
|
|
here and leaving it up to you and your designers to work out what works
|
|
|
|
effectively in your particular situation. Our new code (replacing the previous
|
|
|
|
sample) looks like this::
|
|
|
|
|
2013-05-19 11:15:35 +02:00
|
|
|
from django import forms
|
|
|
|
|
2008-10-06 13:21:11 +02:00
|
|
|
class ContactForm(forms.Form):
|
|
|
|
# Everything as before.
|
|
|
|
...
|
|
|
|
|
|
|
|
def clean(self):
|
2012-02-04 17:05:30 +01:00
|
|
|
cleaned_data = super(ContactForm, self).clean()
|
2008-10-06 13:21:11 +02:00
|
|
|
cc_myself = cleaned_data.get("cc_myself")
|
|
|
|
subject = cleaned_data.get("subject")
|
|
|
|
|
|
|
|
if cc_myself and subject and "help" not in subject:
|
|
|
|
# We know these are not in self._errors now (see discussion
|
|
|
|
# below).
|
|
|
|
msg = u"Must put 'help' in subject when cc'ing yourself."
|
2010-05-10 16:06:09 +02:00
|
|
|
self._errors["cc_myself"] = self.error_class([msg])
|
|
|
|
self._errors["subject"] = self.error_class([msg])
|
2008-10-06 13:21:11 +02:00
|
|
|
|
|
|
|
# These fields are no longer valid. Remove them from the
|
|
|
|
# cleaned data.
|
|
|
|
del cleaned_data["cc_myself"]
|
|
|
|
del cleaned_data["subject"]
|
|
|
|
|
|
|
|
# Always return the full collection of cleaned data.
|
|
|
|
return cleaned_data
|
|
|
|
|
|
|
|
As you can see, this approach requires a bit more effort, not withstanding the
|
|
|
|
extra design effort to create a sensible form display. The details are worth
|
|
|
|
noting, however. Firstly, earlier we mentioned that you might need to check if
|
|
|
|
the field name keys already exist in the ``_errors`` dictionary. In this case,
|
|
|
|
since we know the fields exist in ``self.cleaned_data``, they must have been
|
2008-12-23 05:13:14 +01:00
|
|
|
valid when cleaned as individual fields, so there will be no corresponding
|
2008-10-06 13:21:11 +02:00
|
|
|
entries in ``_errors``.
|
|
|
|
|
|
|
|
Secondly, once we have decided that the combined data in the two fields we are
|
|
|
|
considering aren't valid, we must remember to remove them from the
|
|
|
|
``cleaned_data``.
|
|
|
|
|
2012-08-04 14:17:02 +02:00
|
|
|
.. versionchanged:: 1.5
|
|
|
|
|
2013-03-25 06:53:48 +01:00
|
|
|
Django used to remove the ``cleaned_data`` attribute entirely if there were
|
|
|
|
any errors in the form. Since version 1.5, ``cleaned_data`` is present even if
|
|
|
|
the form doesn't validate, but it contains only field values that did
|
|
|
|
validate.
|