On Fri, Mar 04 2011, Szabo, Patrick (LNG-VIE) wrote: > 127.0.0.1:800/93/1 > > > > This would delete an object with the id 93. > > This is very unsecure and once the user notices how this works he > could delete any object he wants. > > > > How can i make this more secure ?!
There's pretty much always a public-facing URL that can be used to delete a resource. I believe the best thing is just to require that a user be logged in to perform the action. That's most simply done with a @login_required decorator on the If you keep track of which users created which resources, you can restrict them to only deleting resources they created with some simple logic in the view. HTH, Eric -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
