Monday, November 28, 2011

Re: Security design questions


Thank you - that looks great. I'll start coding ...



On 29/11/2011 1:24am, Javier Guerra Giraldez wrote:
> On Mon, Nov 28, 2011 at 2:21 AM, Mike Dewhirst<> wrote:
>> 1. Do I have to create many-to-many relationships and before serving a page
>> make sure the user making the request is "permitted" to see it?
> that's how i've done this in the past. it's not too much burden.
> in my case, i had several image 'banks', and a user could have access
> to one or more, so there was a many-to-many between the user and bank
> models. in addition, the user could be on a single bank at a time
> (but could easily hop from one to the other), so i chose to store the
> bank ID in the session. to make it easier, i wrote a decorator
> similar that added a 'bank' field to the request, something like this
> (from failing memory):
> = get_object_or_404 (Bank, user=request.user,
> pk=request.session['bank_id'])
> that way, if a user somehow modified his session to point to a bank he
> doesn't have access to, he would get a 404.
> then, in any view that included a picture id, instead of doing the usual:
> @login_required
> def showpicture (request, pict_id):
> picture = get_object_or_404 (Picture, pk=pict_id)
> ......
> i did like:
> @login_required
> @bank_required
> def showpicture (request, pict_id):
> picture = get_object_or_404 (Picture,, pk=pict_id)
> ....
> with the same "404 if not allowed" result

You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to
To unsubscribe from this group, send email to
For more options, visit this group at

No comments:

Post a Comment