where the parameters don't appear in the URL, and if you're really
security conscious you can require that the POST come over https.
Bill
On Fri, Mar 4, 2011 at 6:00 AM, Szabo, Patrick (LNG-VIE)
<patrick.szabo@lexisnexis.at> wrote:
> Thats a good idea !
>
> Thx
>
>
> . . . . . . . . . . . . . . . . . . . . . . . . . .
> Patrick Szabo
> XSLT Developer
> LexisNexis
> Marxergasse 25, 1030 Wien
>
> mailto:patrick.szabo@lexisnexis.at
> Tel.: +43 (1) 534 52 - 1573
> Fax: +43 (1) 534 52 - 146
>
>
> -----Ursprüngliche Nachricht-----
>
> Von: django-users@googlegroups.com [mailto:django-users@googlegroups.com] Im Auftrag von Shamail Tayyab
> Gesendet: Freitag, 04. März 2011 11:59
> An: django-users@googlegroups.com
> Betreff: Re: AW: parameter, but not in the URL
>
> On 04/03/11 4:08 PM, Eric Abrahamsen wrote:
>> On Fri, Mar 04 2011, Szabo, Patrick (LNG-VIE) wrote:
>>
>>> Hi,
>>>
>>> Thanks for you fast response !
>>>
>>> I've already made sure that users can only edit or delete objects that
>>> they've created but i thought it might be even better to hide those
>>> information.
>> If you put the delete link in a form "action", and have the delete view
>> redirect to a different url when it's done, that's about as "hidden" as
>> it gets. A determined user will still be able to figure out the pattern,
>> but if they can only delete their own resoures, then why hide it?
>>
>>> Kind regards
>>>
>>>
>>> . . . . . . . . . . . . . . . . . . . . . . . . . .
>>> Patrick Szabo
>>> XSLT Developer
>>> LexisNexis
>>> Marxergasse 25, 1030 Wien
>>>
>>> mailto:patrick.szabo@lexisnexis.at
>>> Tel.: +43 (1) 534 52 - 1573
>>> Fax: +43 (1) 534 52 - 146
>>>
>>>
>>> -----Ursprüngliche Nachricht-----
>>>
>>> Von: django-users@googlegroups.com [mailto:django-users@googlegroups.com] Im Auftrag von Eric Abrahamsen
>>> Gesendet: Freitag, 04. März 2011 10:46
>>> An: django-users@googlegroups.com
>>> Betreff: Re: parameter, but not in the URL
>>>
>>> On Fri, Mar 04 2011, Szabo, Patrick (LNG-VIE) wrote:
>>>
>>>> 127.0.0.1:800/93/1
>>>>
>>>>
>>>>
>>>> This would delete an object with the id 93.
>>>>
>>>> This is very unsecure and once the user notices how this works he
>>>> could delete any object he wants.
>>>>
>>>>
>>>>
>>>> How can i make this more secure ?!
>>> There's pretty much always a public-facing URL that can be used to
>>> delete a resource. I believe the best thing is just to require that a
>>> user be logged in to perform the action. That's most simply done with a
>>> @login_required decorator on the
>>>
>>> If you keep track of which users created which resources, you can
>>> restrict them to only deleting resources they created with some simple
>>> logic in the view.
>>>
>>> HTH,
>>> Eric
>>>
>>> --
>>> You received this message because you are subscribed to the Google Groups "Django users" group.
>>> To post to this group, send email to django-users@googlegroups.com.
>>> To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
>>> For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
>
> Why don't you make the objects to be referred by a key rather than ID?
>
> e.g
>
> class Something (...):
> eid = StringField(max_length=48) # additional field.
>
> Then while creating this object, you make this eid as:
> import random as r
> import hashlib
> eid = hashlib.sha1 ( str(r.random()) + "MY_COOL_SALT" )
>
> then you form your URLs like:
> /33bac54baa...33b/delete
>
> This won't make it 100% secure, but will make it almost impossible to
> guess an ID.
>
> Tx
>
> --
> Shamail Tayyab
> Blog: http://shamail.in/blog
>
> --
> You received this message because you are subscribed to the Google Groups "Django users" group.
> To post to this group, send email to django-users@googlegroups.com.
> To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
>
>
>
> --
> You received this message because you are subscribed to the Google Groups "Django users" group.
> To post to this group, send email to django-users@googlegroups.com.
> To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
>
>
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
No comments:
Post a Comment