1👍
If you want to restrict the fields that the user can edit, then you need to define a form with a subset of the model’s fields.
If you don’t render a form field in the template, but the user submits data for it, then Django will process it as normal. Having looked at the traceback, I don’t understand why your attempt failed, but an attack using the method you described is possible.
The csrf protection won’t help you here. Its purpose is to prevent a third party tricking your users into submitting data to your site, not protect against hand crafted POST data with extra fields.
There’s another issue to be aware of if you deliberately don’t render fields in the template: If the omitted field is not required, then the missing POST values will be interpreted as empty strings, validate, and your data will be wiped.
1👍
As far as I know, CSRF token only protects from CSRF atacks and doesn’t do any things about permissions to change data.
Though it isn’t clear if you only not render the field in case the user is not a superuser, or you didn’t add it to self.fields at all. You should use the second way, or even have a separate form for superusers.