Thats a good idea ! Thx
. . . . . . . . . . . . . . . . . . . . . . . . . . Patrick Szabo XSLT Developer LexisNexis Marxergasse 25, 1030 Wien mailto:patrick.sz...@lexisnexis.at Tel.: +43 (1) 534 52 - 1573 Fax: +43 (1) 534 52 - 146 -----Ursprüngliche Nachricht----- Von: django-users@googlegroups.com [mailto:django-users@googlegroups.com] Im Auftrag von Shamail Tayyab Gesendet: Freitag, 04. März 2011 11:59 An: django-users@googlegroups.com Betreff: Re: AW: parameter, but not in the URL On 04/03/11 4:08 PM, Eric Abrahamsen wrote: > On Fri, Mar 04 2011, Szabo, Patrick (LNG-VIE) wrote: > >> Hi, >> >> Thanks for you fast response ! >> >> I've already made sure that users can only edit or delete objects that >> they've created but i thought it might be even better to hide those >> information. > If you put the delete link in a form "action", and have the delete view > redirect to a different url when it's done, that's about as "hidden" as > it gets. A determined user will still be able to figure out the pattern, > but if they can only delete their own resoures, then why hide it? > >> Kind regards >> >> >> . . . . . . . . . . . . . . . . . . . . . . . . . . >> Patrick Szabo >> XSLT Developer >> LexisNexis >> Marxergasse 25, 1030 Wien >> >> mailto:patrick.sz...@lexisnexis.at >> Tel.: +43 (1) 534 52 - 1573 >> Fax: +43 (1) 534 52 - 146 >> >> >> -----Ursprüngliche Nachricht----- >> >> Von: django-users@googlegroups.com [mailto:django-users@googlegroups.com] Im >> Auftrag von Eric Abrahamsen >> Gesendet: Freitag, 04. März 2011 10:46 >> An: django-users@googlegroups.com >> Betreff: Re: parameter, but not in the URL >> >> On Fri, Mar 04 2011, Szabo, Patrick (LNG-VIE) wrote: >> >>> 127.0.0.1:800/93/1 >>> >>> >>> >>> This would delete an object with the id 93. >>> >>> This is very unsecure and once the user notices how this works he >>> could delete any object he wants. >>> >>> >>> >>> How can i make this more secure ?! >> There's pretty much always a public-facing URL that can be used to >> delete a resource. I believe the best thing is just to require that a >> user be logged in to perform the action. That's most simply done with a >> @login_required decorator on the >> >> If you keep track of which users created which resources, you can >> restrict them to only deleting resources they created with some simple >> logic in the view. >> >> HTH, >> Eric >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Django users" group. >> To post to this group, send email to django-users@googlegroups.com. >> To unsubscribe from this group, send email to >> django-users+unsubscr...@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/django-users?hl=en. Why don't you make the objects to be referred by a key rather than ID? e.g class Something (...): eid = StringField(max_length=48) # additional field. Then while creating this object, you make this eid as: import random as r import hashlib eid = hashlib.sha1 ( str(r.random()) + "MY_COOL_SALT" ) then you form your URLs like: /33bac54baa...33b/delete This won't make it 100% secure, but will make it almost impossible to guess an ID. Tx -- Shamail Tayyab Blog: http://shamail.in/blog -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
