Since the owner field is excluded from the form, the default save method will not take it from the submitted data, not even if an attacker adds it to the POST data. So overriding init and save() is not necessary. Instead, the documentation lists another way to add data to this field (see Note under https://docs.djangoproject.com/en/1.5/topics/forms/modelforms/#using-a-subset-of-fields-on-the-form). This code would be in the view:
bookmark = Bookmark(owner=request.user) form = BookmarkModel(instance=bookmark, data=request.POST) form.save()
Please let me know if you agree that this code is simpler and cleaner.