Friday, March 4, 2011

Re: AW: parameter, but not in the URL

On Fri, Mar 04 2011, Szabo, Patrick (LNG-VIE) wrote:

> Hi,
>
> Thanks for you fast response !
>
> I've already made sure that users can only edit or delete objects that
> they've created but i thought it might be even better to hide those
> information.

If you put the delete link in a form "action", and have the delete view
redirect to a different url when it's done, that's about as "hidden" as
it gets. A determined user will still be able to figure out the pattern,
but if they can only delete their own resoures, then why hide it?

>
> Kind regards
>
>
> . . . . . . . . . . . . . . . . . . . . . . . . . .
> Patrick Szabo
> XSLT Developer
> LexisNexis
> Marxergasse 25, 1030 Wien
>
> mailto:patrick.szabo@lexisnexis.at
> Tel.: +43 (1) 534 52 - 1573
> Fax: +43 (1) 534 52 - 146
>
>
> -----Ursprüngliche Nachricht-----
>
> Von: django-users@googlegroups.com [mailto:django-users@googlegroups.com] Im Auftrag von Eric Abrahamsen
> Gesendet: Freitag, 04. März 2011 10:46
> An: django-users@googlegroups.com
> Betreff: Re: parameter, but not in the URL
>
> On Fri, Mar 04 2011, Szabo, Patrick (LNG-VIE) wrote:
>
>> 127.0.0.1:800/93/1
>>
>>
>>
>> This would delete an object with the id 93.
>>
>> This is very unsecure and once the user notices how this works he
>> could delete any object he wants.
>>
>>
>>
>> How can i make this more secure ?!
>
> There's pretty much always a public-facing URL that can be used to
> delete a resource. I believe the best thing is just to require that a
> user be logged in to perform the action. That's most simply done with a
> @login_required decorator on the
>
> If you keep track of which users created which resources, you can
> restrict them to only deleting resources they created with some simple
> logic in the view.
>
> HTH,
> Eric
>
> --
> You received this message because you are subscribed to the Google Groups "Django users" group.
> To post to this group, send email to django-users@googlegroups.com.
> To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/django-users?hl=en.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)