Django talk: AW: parameter, but not in the URL

Friday, March 4, 2011

AW: parameter, but not in the URL

Hi,

Thanks for you fast response !

I've already made sure that users can only edit or delete objects that they've created but i thought it might be even better to hide those information.

Kind regards

. . . . . . . . . . . . . . . . . . . . . . . . . .
Patrick Szabo
XSLT Developer
LexisNexis
Marxergasse 25, 1030 Wien

mailto:patrick.szabo@lexisnexis.at
Tel.: +43 (1) 534 52 - 1573
Fax: +43 (1) 534 52 - 146

-----Ursprüngliche Nachricht-----

Von: django-users@googlegroups.com [mailto:django-users@googlegroups.com] Im Auftrag von Eric Abrahamsen
Gesendet: Freitag, 04. März 2011 10:46
An: django-users@googlegroups.com
Betreff: Re: parameter, but not in the URL

On Fri, Mar 04 2011, Szabo, Patrick (LNG-VIE) wrote:

> 127.0.0.1:800/93/1
>
>
>
> This would delete an object with the id 93.
>
> This is very unsecure and once the user notices how this works he
> could delete any object he wants.
>
>
>
> How can i make this more secure ?!

There's pretty much always a public-facing URL that can be used to
delete a resource. I believe the best thing is just to require that a
user be logged in to perform the action. That's most simply done with a
@login_required decorator on the

If you keep track of which users created which resources, you can
restrict them to only deleting resources they created with some simple
logic in the view.

HTH,
Eric

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.

Django talk

Friday, March 4, 2011

AW: parameter, but not in the URL

No comments:

Post a Comment

Followers

Blog Archive

About Me