Re: Django formset hidden id field

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJVlelpAAoJEC0ft5FqUuEh2LwQAJ5lYAYiff7jJHNvtlA/I/x/
AIsRH15FNR2M6xTvH0wJlrNrb7mkBXgp19wHyS0lXOJA+TbZOHsrVttPRYbiaW8t
Yfqa+q6+Wv+Ppvty22vYjOFUazP+bs+BauXW0m4Vf02HhxVA5+k4spHxhDFd30Ml
SUDJsWqMAoi/g5wZxJB4L5nHGDzcqR5eugvbTndz21wErOvORkudnwpk1U5swftw
BZACT4keDB2aAuSTEmkgLyh6KHAC5U3SYoLvomsp9U9p645/YwEuE1zHF0CxbpR5
mrfdNVejRLbza0bEVnnIL2DZNOk8TaFUdtYd9XxUGk9F0Z5GVxNOKQC1gI3TVq8x
nFPMbHywWhLe7GCVxA2MwIrJd5M16DSmtky2eeHdEPL2xB0EnoB3DxGotDIEVPhi
7BYp9qSmO+FwJhAU5WKH4zUnDcsQ/leer7srjoaNJYC5KiKi7Ai4d52QVoRmSQMd
7weJgqOOc998Eo+t+UooTWBBaIO21IO0xLWpYhbKQNT7MWnJpFE4nCeWIdTUDFuX
LoWJT63yL6Yi3EycivXjFU/ZdWGrZ4bVl1c7U2W5eHVAYvEI2/i63hOO/sD/fB/1
jHA/JI7zSs+CMd3+dSbGY0Jw9PzTUF206xy7sdTy2on5cT5RKHbz9HD2ZrqOlg80
M3N4pgvEzs8KVG9cwESL
=Y0hz
-----END PGP SIGNATURE-----
On 06/28/2015 03:00 PM, Peter of the Norse wrote:
> On May 27, 2015, at 7:47 AM, Cheng Guo <cheng.guo@gmail.com
> <mailto:cheng.guo@gmail.com>> wrote:
>>
>> Hello,
>>
>> I have a formset and when I render it, Django would include this line
>> in the HTML:
>>
>> |<input id="id_form-0-id" name="form-0-id" type="hidden">|
>>
>> I am curious what is the purpose of having an id field here.
>>
>> I mean in what situation would you use it. I did look through
>> Django's documentation on formset
>> <https://docs.djangoproject.com/en/1.8/topics/forms/formsets/#can-delete>but
>> cannot find much documentation on this.
>>
>> One answer I got is that this id field is the value of the primary key
>> of the model bound to this form. It is there so that when the formset
>> updates, people can use it to retrieve the corresponding record from
>> the database.
>>
>> Is the above explaination correct?
>>
>> If this explaination is correct, then my next question is, wouldn't it
>> be dangerous to expose the primary key like that? I can make a post
>> call to your server with a modified pk which can mess up your database.
>
> So what? It's quite likely that whoever is editing this row of the
> database, also has permissions to edit the other rows as well. There's
> no reason for them to go through the hassle of manually editing a hidden
> field when they can go to a different page and edit it there.

That's a bad answer. It's common in many systems for a user to have
access to edit some records in a table but not others (this is often
known as "object-level permissions"). If it was really possible to edit
any row in the table by just manually editing the PK hidden field, that
would be a serious security flaw in formsets.

But it's not. Whatever queryset you pass to the model formset limits the
available rows for editing. The end user can edit the PK to refer to any
item in that queryset, but not any item in the table.

> In general, primary keys are not security flaws. While it's a good idea
> to hide them from front-end pages, that's mostly because they make URLs
> hard to read. I have heard that you don't want to use them publicly,
> because your competitors can use them to gauge your success, but that's
> the kind of "Nice Problem to Have" that can wait until you're bigger.

Exposing primary keys themselves (e.g. in URLs) is not necessarily a
security flaw. Exposing a primary key in a hidden field that can be
edited to change a form to edit any row in a table often would be a
serious security flaw.


Carl

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/5595E969.1090205%40oddbird.net.
For more options, visit https://groups.google.com/d/optout.