remove protected field on form bound for safety

no need to validate the likely "empty" data form the disabled field

Signed-off-by: tdruez <tdruez@aboutcode.org>

Author: tdruez

component_catalog/tests/test_views.py

@@ -3566,15 +3566,16 @@ def test_component_catalog_package_form_add(self):
             "usage_policy": policy_approved.pk,
         }
         form = PackageForm(user=self.super_user, data=data)
-        self.assertEqual(0, len(form.fields["usage_policy"].queryset))
+        self.assertNotIn("usage_policy", form.fields)
         self.assertTrue(form.is_valid())
         package = form.save()
         self.assertIsNone(package.usage_policy)
 
         data["filename"] = "with policy"
         self.super_user = add_perm(self.super_user, "change_usage_policy_on_package")
         form = PackageForm(user=self.super_user, data=data)
-        self.assertEqual(1, len(form.fields["usage_policy"].queryset))
+        self.assertIn("usage_policy", form.fields)
+        self.assertQuerySetEqual([policy_approved], form.fields["usage_policy"].queryset)
         self.assertTrue(form.is_valid())
         package = form.save()
         self.assertEqual(policy_approved, package.usage_policy)
@@ -4386,15 +4387,16 @@ def test_component_catalog_component_form_add(self):
             "usage_policy": policy_approved.pk,
         }
         form = ComponentForm(user=self.user, data=data)
-        self.assertEqual(0, len(form.fields["usage_policy"].queryset))
+        self.assertNotIn("usage_policy", form.fields)
         self.assertTrue(form.is_valid())
         component = form.save()
         self.assertIsNone(component.usage_policy)
 
         data["version"] = "with policy"
         self.user = add_perm(self.user, "change_usage_policy_on_component")
         form = ComponentForm(user=self.user, data=data)
-        self.assertEqual(1, len(form.fields["usage_policy"].queryset))
+        self.assertIn("usage_policy", form.fields)
+        self.assertQuerySetEqual([policy_approved], form.fields["usage_policy"].queryset)
         self.assertTrue(form.is_valid())
         component = form.save()
         self.assertEqual(policy_approved, component.usage_policy)
@@ -4413,6 +4415,7 @@ def test_component_catalog_component_form_add(self):
             "homepage_url": "https://nexb.com",
             "configuration_status": status.pk,
             "release_date": "2019-03-01",
+            "usage_policy": policy_approved.pk,
             "submit": "Add Component",
         }
         form = ComponentForm(user=self.user, data=data)
@@ -4422,6 +4425,7 @@ def test_component_catalog_component_form_add(self):
         self.assertEqual(status, component.configuration_status)
         self.assertEqual(license1.key, component.license_expression)
         self.assertEqual(["Key1", "Another keyword"], component.keywords)
+        self.assertEqual(policy_approved, component.usage_policy)
 
     def test_component_catalog_component_form_assigned_packages(self):
         data = {

dje/forms.py

@@ -109,18 +109,24 @@ class ScopeAndProtectRelationships:
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
 
-        protected_fields = get_protected_fields(self._meta.model, self.user)
-        self.protected_fields = protected_fields
+        self.protected_fields = get_protected_fields(self._meta.model, self.user)
 
-        for name, field in self.fields.items():
-            has_queryset = hasattr(field, "queryset")
-
-            if name in protected_fields:
+        # On submit, remove protected fields so they are not validated or saved.
+        # On display, render them as disabled with an empty queryset.
+        for name in self.protected_fields:
+            if self.is_bound:
+                self.fields.pop(name, None)
+            else:
+                field = self.fields[name]
                 field.disabled = True
-                if has_queryset:
+                if hasattr(field, "queryset"):
                     field.queryset = field.queryset.none()
 
-            elif has_queryset and is_dataspace_related(field.queryset.model):
+        # Scope relational fields to the user's Dataspace
+        for name, field in self.fields.items():
+            has_queryset = hasattr(field, "queryset")
+
+            if has_queryset and is_dataspace_related(field.queryset.model):
                 field.queryset = field.queryset.scope(self.user.dataspace)
 
                 related_model = field.queryset.model