Hi.
Of course you don't use hidden field value at all from the form (you shouldn't even have those values there in the first place).
Get and set id and date after you have validated form otherwise to final object so there isn't any possibility to even try to change to value
On 17.8.2017 16.14, Thiago Luiz Parolin wrote:
--I have a system that does:Thanks.
1 - The user registers a project with name, title and responsible teacher
2 - The teacher responsible for this project must authorize it or not
So I have a page that displays to the teacher, all the projects that are waiting for authorization and in each project there is a small form with radio (yes / no) and a save button.
The form in django has no field that identifies a project or something, I save directly to the project template that has an authorization field (true or false).
How can I assign the choice of the teacher (yes or no) to the project?
Ie how to identify that this form below the project on the listing page is from project x and not from project z?
Today this is done with a hidden field in the form that is configured in the template with the id of the user who registered the project, but using options to inspect elements in browsers, an attacker can change the id and authorize other projects.
How can I prevent this?
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CACTnJ03kodSevdmwZRVsozucmqZQ5aJ4oLCTuhgecqjipXuxVw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
No comments:
Post a Comment