You might also pass the necessary parameters in a POST type form, where the parameters don't appear in the URL, and if you're really security conscious you can require that the POST come over https.
Bill On Fri, Mar 4, 2011 at 6:00 AM, Szabo, Patrick (LNG-VIE) <patrick.sz...@lexisnexis.at> wrote: > Thats a good idea ! > > Thx > > > . . . . . . . . . . . . . . . . . . . . . . . . . . > Patrick Szabo > XSLT Developer > LexisNexis > Marxergasse 25, 1030 Wien > > mailto:patrick.sz...@lexisnexis.at > Tel.: +43 (1) 534 52 - 1573 > Fax: +43 (1) 534 52 - 146 > > > -----Ursprüngliche Nachricht----- > > Von: django-users@googlegroups.com [mailto:django-users@googlegroups.com] Im > Auftrag von Shamail Tayyab > Gesendet: Freitag, 04. März 2011 11:59 > An: django-users@googlegroups.com > Betreff: Re: AW: parameter, but not in the URL > > On 04/03/11 4:08 PM, Eric Abrahamsen wrote: >> On Fri, Mar 04 2011, Szabo, Patrick (LNG-VIE) wrote: >> >>> Hi, >>> >>> Thanks for you fast response ! >>> >>> I've already made sure that users can only edit or delete objects that >>> they've created but i thought it might be even better to hide those >>> information. >> If you put the delete link in a form "action", and have the delete view >> redirect to a different url when it's done, that's about as "hidden" as >> it gets. A determined user will still be able to figure out the pattern, >> but if they can only delete their own resoures, then why hide it? >> >>> Kind regards >>> >>> >>> . . . . . . . . . . . . . . . . . . . . . . . . . . >>> Patrick Szabo >>> XSLT Developer >>> LexisNexis >>> Marxergasse 25, 1030 Wien >>> >>> mailto:patrick.sz...@lexisnexis.at >>> Tel.: +43 (1) 534 52 - 1573 >>> Fax: +43 (1) 534 52 - 146 >>> >>> >>> -----Ursprüngliche Nachricht----- >>> >>> Von: django-users@googlegroups.com [mailto:django-users@googlegroups.com] >>> Im Auftrag von Eric Abrahamsen >>> Gesendet: Freitag, 04. März 2011 10:46 >>> An: django-users@googlegroups.com >>> Betreff: Re: parameter, but not in the URL >>> >>> On Fri, Mar 04 2011, Szabo, Patrick (LNG-VIE) wrote: >>> >>>> 127.0.0.1:800/93/1 >>>> >>>> >>>> >>>> This would delete an object with the id 93. >>>> >>>> This is very unsecure and once the user notices how this works he >>>> could delete any object he wants. >>>> >>>> >>>> >>>> How can i make this more secure ?! >>> There's pretty much always a public-facing URL that can be used to >>> delete a resource. I believe the best thing is just to require that a >>> user be logged in to perform the action. That's most simply done with a >>> @login_required decorator on the >>> >>> If you keep track of which users created which resources, you can >>> restrict them to only deleting resources they created with some simple >>> logic in the view. >>> >>> HTH, >>> Eric >>> >>> -- >>> You received this message because you are subscribed to the Google Groups >>> "Django users" group. >>> To post to this group, send email to django-users@googlegroups.com. >>> To unsubscribe from this group, send email to >>> django-users+unsubscr...@googlegroups.com. >>> For more options, visit this group at >>> http://groups.google.com/group/django-users?hl=en. > > Why don't you make the objects to be referred by a key rather than ID? > > e.g > > class Something (...): > eid = StringField(max_length=48) # additional field. > > Then while creating this object, you make this eid as: > import random as r > import hashlib > eid = hashlib.sha1 ( str(r.random()) + "MY_COOL_SALT" ) > > then you form your URLs like: > /33bac54baa...33b/delete > > This won't make it 100% secure, but will make it almost impossible to > guess an ID. > > Tx > > -- > Shamail Tayyab > Blog: http://shamail.in/blog > > -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To post to this group, send email to django-users@googlegroups.com. > To unsubscribe from this group, send email to > django-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/django-users?hl=en. > > > > -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To post to this group, send email to django-users@googlegroups.com. > To unsubscribe from this group, send email to > django-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/django-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
