-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJU5m7IAAoJEC0ft5FqUuEh0EcP/j8luZzuj0MbCZYvZMhSXcOd
xXUQ7DQzyi4NRAMoNLXjJI1AfNlRQBJot7IiENtdRrb6hibcNByzc6RWUZ9ZdA3Q
NLxpjUYZ8WmkSQLheSgRPrGyeswrOaZK/HzofOLxFNyUgEnFw0vrQ2DdTHi8YYk7
QOgCINMjdps1cGk9UQWy+y3g2ikYJUaJbawdzxaYkiyPIi1xVBmRgfAqKxEVIVbv
p0WaTZtPr580fnn0DKIYFiPQm8gd5c6GuApmMqI7rhPtJstEPvtwqRiYtPyxjDsH
QR3PWLzIhdtnvkEg7MhwKVubB0q9p51BX63KZ3ByiqRFLCmKBKjF5U3vnT1IodUu
6CAUb1Pp5Oy6FzpU5V9N4dXUdSnIVnHzMEkPXSA1TvAd5NLUxKO8znR6NVoVck/Z
+DdfdTEFKnibZP99PuMHNqaBfjSIuR1wgLnuu2CaCTNgL7LtGEHE87pN8DkrdXLR
s/5zyl47G647lFxfRZirmFOCqQdEhuy1X52J9bIWd5ptgYrryNih5ZONdm0hoFaG
kOsi7/tXPd7sf/1Akt6nPkCQ+RQL1L2ObqCbNOvh6IBprD5OwMWpb48D0TMcCRMD
qGdllny6LctBg0NEF5Rin4Om8SlIkW3IDAYsus6EMpXbDZU6m85ULQMRc0dhnjO1
hr7gSo/d8z2bc25XOUuE
=Xgm3
-----END PGP SIGNATURE-----
On 02/19/2015 04:03 PM, Chen Xu wrote:
> what if I have two addresses, id is 1 and 2, and I want to update 2, how
> I should distinguish 2 from 1, I mean, if I have addressid in the form,
> and someone modify it from 2 to 1, and that will update 1, right? How to
> prevent this?
Your server-side code must handle all security-related validation, and
must assume that no data sent from the client can be trusted. So in this
case you describe, your server-side code must have some way to know
which address(es) the currently logged-in user has the authority to edit.
Usually in this type of case I would make the address ID being edited a
part of the URL, not a form parameter (because it's used to query the
instance being edited by the ModelForm), and I would perform the access
check at the very top of the view function, often returning a 404 if the
user should not have access to that address.
If for some reason the address ID must be in the form rather than a URL
parameter, you could pass `request.user` to the form and have the form
validation check that that user is permitted to edit the given address ID.
Carl
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/54E66EC8.70808%40oddbird.net.
For more options, visit https://groups.google.com/d/optout.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment