Change a Django form field to a hidden field

python

form-engineering

best-practices

security

byNikita Barsukov·Dec 6, 2024

To hide a Django form field, you can switch its widget to forms.HiddenInput:

form.fields['field_name'].widget = forms.HiddenInput()

This change makes the field invisible to users, but it doesn't impair its normal operations.

This neat approach, applied directly within your views or forms' __init__ functions, eliminates the need for extra attributes and allows the form to stick to its initial intent. It also paves the way for dynamic field hiding based on certain conditions, initiated within the form's constructor.

Hide form field in templates

When it comes to displaying fields in Django templates, you can make use of the built-in .as_hidden method to shift form fields to hidden inputs:

{{ form.field_name.as_hidden }}

This enables you to painlessly change visible Django form fields into hidden inputs while preserving the form's integrity and simplicity.

Hidden but not forgotten: security matters

Hidden fields can be altered by crafty users, so include only necessary information, and consider extra security measures like hashing the field's value to detect any harmful data interference.

Advanced handling for hiding fields

Overriding widgets on the move

You might want to make the widget switch based on specific criteria. In that case, pull an override on your form's __init__ method and change the widget when the conditions are complied with:

class MyForm(forms.Form):
    def __init__(self, *args, **kwargs):
        self.hide_game = kwargs.pop('hide_game', None)  
        super(MyForm, self).__init__(*args, **kwargs)
        if self.hide_game:
            self.fields['field_name'].widget = forms.HiddenInput()
            # look ma, no hands!

Navigating composite fields

Composite fields like MultipleChoiceField present a unique challenge, since HiddenInput is not supported out of the box. Instead, convert the composite data into a single retrievable value after form submission. This may need some serialization skills!

Deleting fields: "now you see me, now you don't"

Don't want a field transmitted via form at all? Use the del Python command:

del self.fields['field_name']
   # just like my hopes and dreams, field_name is gone but not forgotten

This fortifies the security, preventing both the field display and data submission.

Preserving the form layout

Want to uphold the form structure while concealing fields? Create a new form class:

class HiddenFieldsForm(MyForm):
    class Meta:
        widgets = {
            'field_name': forms.HiddenInput(),
        }

By declaring hidden widgets within the Meta class, you retain the form's original setting, albeit with subtly hidden fields.

Hidden Fields: Advanced user's guide

Your hidden field's smart-tech suit

A perfect hidden field must balance functionality with security. Analyze every field switched to hidden and check for potential vulnerability:

Validate input first, process later.
Use hashing or encryption to guard sensitive data.
Choose CAPTCHA to fight the bots.

Getting the field values, even when hidden

Retrieve form values, including for fields hidden from the form, in your templates:

{{ form.instance.field_name if form.is_bound else form.initial['field_name'] }} 
    # This isn't the form data you're looking for

Pitfalls and how to punch them

Working with hidden fields comes with a fair share of caveats:

FormState Misrepresentation: There might be something lurking beneath the surface.
Security risks: Risk of Cross-Site Request Forgery (CSRF) attack if you take it lightly.

explain-codes / Python / Change a Django form field to a hidden field

Linked

Django set default form values



What is the difference between null=True and blank=True in Django?



Django: How do I add arbitrary html attributes to input fields on a form?



Delete multiple objects in django



Convert Django Model object to dict with all of the fields intact

