On Mon, Aug 01, 2016 at 12:17:38PM -0400, Larry Martell wrote:
> I have a view that is accessed both from the browser and from a
> non-browser app. The request from the non browser app come from a
> remote app where the user has already had to login (or they would
> never get to the point where they could cause the request to be sent).
> Is there a way to make login required when the request comes from a
> browser but then not have login required when the request comes from
> the app?
That sounds like a bad idea. Even with the "app", when a request is
being made, the user has to be authenticated somehow. If you allow
your "app" to access the view without authentication (regardless of
what criterion you pick to determine it is the "app", be it the
user-agent, referrer, or whatnot), what's to prevent a motivated
attacker from finding the criterion out using a sniffing proxy or some
other tool, and just making the request directly?
Cheers,
Michal
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/20160801183351.GC5430%40koniiiik.org.
For more options, visit https://groups.google.com/d/optout.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment