Monday, November 28, 2011

Re: Security design questions

Javier

Thank you - that looks great. I'll start coding ...

Cheers

Mike

On 29/11/2011 1:24am, Javier Guerra Giraldez wrote:
> On Mon, Nov 28, 2011 at 2:21 AM, Mike Dewhirst<miked@dewhirst.com.au> wrote:
>> 1. Do I have to create many-to-many relationships and before serving a page
>> make sure the user making the request is "permitted" to see it?
>
> that's how i've done this in the past. it's not too much burden.
>
> in my case, i had several image 'banks', and a user could have access
> to one or more, so there was a many-to-many between the user and bank
> models. in addition, the user could be on a single bank at a time
> (but could easily hop from one to the other), so i chose to store the
> bank ID in the session. to make it easier, i wrote a decorator
> similar that added a 'bank' field to the request, something like this
> (from failing memory):
>
> request.bank = get_object_or_404 (Bank, user=request.user,
> pk=request.session['bank_id'])
>
> that way, if a user somehow modified his session to point to a bank he
> doesn't have access to, he would get a 404.
>
> then, in any view that included a picture id, instead of doing the usual:
>
> @login_required
> def showpicture (request, pict_id):
> picture = get_object_or_404 (Picture, pk=pict_id)
> ......
>
> i did like:
>
> @login_required
> @bank_required
> def showpicture (request, pict_id):
> picture = get_object_or_404 (Picture, bank=request.bank, pk=pict_id)
> ....
>
> with the same "404 if not allowed" result
>

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.

No comments:

Post a Comment