Custom Field Validation7:16 with Kenneth Love
We can control how each field is cleaned by overriding a special method on our form class.
Fields still have validators, which we'll talk about in the next video, so you can't, for example, make an
EmailField accept non-valid email addresses by overriding the
clean_fieldname method for that field. Cleaning a field is for additional verification of the submitted data.
So our form is pretty much done. 0:00 So I think it would be a good idea to add a honeypot field to catch bots. 0:01 There are packages out there to handle this, 0:06 but I think that we can do it on our own. 0:07 Django gives us three types of special validation on forms. 0:09 We can validate the form as a whole. 0:13 We use this if we need to validate two or more fields in relation to each other, 0:16 like making sure that someone gives us either a phone number, 0:20 an email address or both. 0:23 We can validate individual fields with custom cleaning methods. 0:26 This is for slightly more complicated things than our next approach, but 0:29 this is where we're going to start. 0:33 And finally, we can use Django's built-in validators, or create our own. 0:35 Validators are functions that take a value and 0:40 return a specific error if the value is wrong. 0:42 We'll talk more about these in the next video. 0:45 You'll encounter field cleaning methods pretty often in the wild. 0:47 So, I want to start there. 0:50 Let's go make our honey pot and make sure that's empty. 0:52 So, we have a pretty cool form and view combo, right now. 0:55 Our view shows a form, they fill it in, we get an e-mail, 1:00 they get a message saying thank you, and everything just works really well. 1:04 So that's great. 1:09 But our form right now is maybe a little bit prone to abuse? 1:10 Or even less abuse, more just misuse. 1:16 We don't want to have spiders, bots coming along, filling out our form and 1:20 just sending us tons of junk submission, 1:25 especially ones that are comment bots like you find on blogs. 1:27 So, we need to prevent that. 1:33 And one of the cool ways, and fairly easy ways, to prevent that is you provide 1:34 a hidden input in an invisible field that normally is called a honey pot. 1:38 And if anythings in that honey pot then your like eh your probably a bot. 1:43 I'm not actually gonna submit your thing. 1:47 And we could do that in our view. 1:50 We could add a field and then check to make sure that the field was empty. 1:52 But that's a bad idea, because we have to remember to do it. 1:55 It makes more sense to do it in our form, and just have our form do it for us. 1:58 So let's add a new field that we'll call honeypot. 2:03 And you can call this pooh bear, or bees, or whatever you wanna call it. 2:07 And we're gonna make this a CharField, this doesn't really matter too much. 2:12 And we're gonna say required=False, for now. 2:17 We're gonna say required=False for now, 2:21 just because we want the field to be blankable. 2:23 We don't want anybody to have to actually fill anything in. 2:27 And then we're gonna specify a widget on it. 2:29 And widget is gonna be forms.hiddenInput. 2:33 And the label which is the text, if you look here this one says name. 2:39 By default it just takes this and capitalizes the first letter. 2:45 But we want to specify a custom label on this so 2:49 that humans if they ever see it know what to do with it. 2:51 And we'll just say leave empty. 2:54 All right. 2:57 So there we go. Let's go look at our form, and 2:58 we don't see leave empty. 3:03 But if we inspect it, and we look over here, 3:05 then now there is this new hidden field here called honeypot. 3:11 It doesn't print a label because it's hidden. 3:14 If were to change something. 3:18 If we were to change this somehow so 3:19 it wasn't hidden then that input would show up. 3:22 We don't want that input to show up though we want it to stay hidden. 3:25 So, having this hidden honeypot field doesn't actually make it to where our form 3:28 will fail validation if the honeypot's filled out. 3:33 We could go and submit this and say firstname.lastname@example.org and 3:38 [SOUND] and then let's inspect. 3:45 We get into some browser trickery here, and, I'm gonna actually edit this. 3:49 I'm gonna add a new one, called value, and it's gonna be filled with bees. 3:56 And so now if I submit this it still goes through. 4:02 It still says thanks for your submission, or suggestion, sorry. 4:05 So, just having the honey pot didn't make us safer. 4:09 This is kinda long, I'm gonna break this down. 4:14 Sorry, okay. 4:26 I'm gonna stop messing with that. 4:27 So, how do we clean this up? 4:29 How do we handle that? 4:31 Well, we can override the cleaning method for this one individual field. 4:32 So, we can do def clean_honeypot and this will be the method that's called. 4:36 When django does the is valid, it basically runs through every single field 4:43 It looks for a clean, and then whatever the field's name is, 4:48 and runs that function, if it exists, that method. 4:52 And if it doesn't, it has a built in way of making sure, like, that a CharField, 4:55 that's not left as required false, actually has something in it. 4:59 That an email field is actually an email. 5:03 Things like that. 5:05 So, in this case, it'll look for this clean honey pot. 5:07 And since it now exists, it will run it. 5:09 So, what we wanna do is we wanna say that 5:12 honeypot equals self.cleaned_data honey pot. 5:15 Because we wanna ge the data that's in there. 5:21 And if there's any len to honeypot, 5:24 if there's anything at all in there, then we want to raise a validation error. 5:26 And we're gonna raise forms.ValidationError and 5:31 we're gonna say, honeypot should be left empty. 5:35 Bad bot! 5:40 Cuz it's probably a bot. 5:43 And then no matter what, we're going to return honeypot. 5:45 We have to send back the data. 5:48 Or really, we're sending back the form itself, but we definitely want, or 5:52 the field itself, but we have to send all that back. 5:55 Okay, cool. 5:58 So now, let's try this again. 5:59 We'll put in Bot, email@example.com. 6:02 Put in some gobbledygook. 6:05 And then, I'm going to inspect my form, find my honeypot, edit. 6:09 Oops. 6:16 Add an attribute, value equals some binary. 6:21 All right, cool, and i'm gonna submit it. 6:27 Aha look at that. 6:30 Hidden, oops, hidden field honey pot. 6:31 Honey pot should be left empty, bad bot. 6:33 And our stuff is still filled in. 6:35 It didn't create a new email. 6:37 If we were to look in here in our suggestions folder. 6:39 It hasn't refreshed. 6:42 Woop. 6:46 Okay. So 6:47 we have two cuz I submitted one that says Kenneth and I submitted one that says Bot. 6:47 We don't have a third. 6:50 So that's the way that we can handle cleaning just one single field. 6:51 You can write a clean field method for any field in your form. 6:57 Like I said at the beginning of the video, 7:01 if you need to clean more than one field, and 7:03 their validation depends on each other, you'll want to clean the entire form. 7:04 We'll do that together in a later video. 7:08 Now though, 7:11 let's see how we can do this a little bit differently with a custom validator. 7:12
You need to sign up for Treehouse in order to download course files.Sign up