Hi Balaji
It's not necessarily template views.
Let's come up with a scenario so you can see.
Let's assume you have an order form, and your customers can view that order form by viewing:
yoururl.com/orders/?order_id=101
You think it's okay - after all the customer has to login and view their order.
In your backend you use something like
There is a couple of problems with this.
You should NEVER use numbers as your IDs that your user sees.
-- You can potentially let competitors know how many customers you have, or how many many orders you processed.
But wait, if you look at the query - and I have seen this before... the query is not checking to see if the current user has permission to view the order...
it just grabs the record with the ID
Now assume that the end user changes 101 to 102, and to 103 -- if these records exist. They are going to get the data.
use something like uuid as your primary key to prevent this...
Also, add ownership to your queries, ex.) (id=customer_id, customer=request.user)
Let's come up with a scenario so you can see.
Let's assume you have an order form, and your customers can view that order form by viewing:
yoururl.com/orders/?order_id=101
You think it's okay - after all the customer has to login and view their order.
In your backend you use something like
customer_order_id = request.GET.get('order_id')
order = CustomerOrder.objects.get(id=customer_order_id)
There is a couple of problems with this.
You should NEVER use numbers as your IDs that your user sees.
-- You can potentially let competitors know how many customers you have, or how many many orders you processed.
But wait, if you look at the query - and I have seen this before... the query is not checking to see if the current user has permission to view the order...
it just grabs the record with the ID
Now assume that the end user changes 101 to 102, and to 103 -- if these records exist. They are going to get the data.
use something like uuid as your primary key to prevent this...
Also, add ownership to your queries, ex.) (id=customer_id, customer=request.user)
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/343105a0-4bd3-42f0-ba0d-c41d2482f9e0%40googlegroups.com.
No comments:
Post a Comment