Hi,
On Thu, 2 Jan 2020, 19:30 Jody Fitzpatrick, <jody.lee.fitzpatrick@gmail.com> wrote:
Hi BalajiIt's not necessarily template views.
Let's come up with a scenario so you can see.
Let's assume you have an order form, and your customers can view that order form by viewing:
yoururl.com/orders/?order_id=101
You think it's okay - after all the customer has to login and view their order.
In your backend you use something likecustomer_order_id = request.GET.get('order_id')order = CustomerOrder.objects.get(id=customer_order_id)
There is a couple of problems with this.
You should NEVER use numbers as your IDs that your user sees.
-- You can potentially let competitors know how many customers you have, or how many many orders you processed.
But wait, if you look at the query - and I have seen this before... the query is not checking to see if the current user has permission to view the order...
it just grabs the record with the ID
Now assume that the end user changes 101 to 102, and to 103 -- if these records exist. They are going to get the data.
use something like uuid as your primary key to prevent this...
Also, add ownership to your queries, ex.) (id=customer_id, customer=request.user)
As a noob, I realised the "scope security" aspect but it took a LOT longer to realise that Django's ORM has a nice pattern which can be of use here. The idea is to use queries rooted on the user. Using Jody's example, observe that there must be an FK between the request.user and CustomerOrder.customer.
That means that the query could be written like this:
order = request.user.customerorder_set.get(...)
AFAIK there is no performance penalty to using this style and it seems to me like a good habit to adopt (I'd be interested to hear if the experts think differently?).
Thanks, Shaheed
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/343105a0-4bd3-42f0-ba0d-c41d2482f9e0%40googlegroups.com.
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAHAc2jfhROAHioNrhOraiTa-S1XYBr_J-ouKDL3yZZVhm%2BOrRQ%40mail.gmail.com.
No comments:
Post a Comment