On 23 Mar 12:04, Tom Evans wrote: > On Fri, Mar 23, 2012 at 12:00 PM, Brett Parker > <idu...@sommitrealweird.co.uk> wrote: > > On 23 Mar 04:38, Bastien wrote: > >> Sorry maybe my post was not very clear, I am talking about public content > >> here, that should be accessed by anyone, even anonymous users not logged > >> in. > >> For instance if we talk about photos, publicly available, the url would > >> look something like /photos/1, /photos/2 .... 1 and 2 being the pk of the > >> object in the db. If someone wants to download or link to these photos in a > >> totally uncontrollable way (without using an API), with that system we are > >> making it very easy to do mass content leakage. I don't want to promote > >> security by obscurity here, just want to know what people in the group > >> think about it and what solutions can be implemented, or if it is relevant > >> at all. > > > > Are there links on the site to those bits of content, anyways? If so, > > then this is entirely irrelevant, as they're already entirely > > spidarable, and there's plenty of software out there that will parse web > > pages and download all content, and follow links, etc. > > > > Cheers, > > -- > > Brett Parker > > > > You might have a page with links to '/photos/1' and '/photos/2'. You > don't want someone to try to download all the photos by guessing that > there may be content at '/photos/3' as well. Using non-predictable > URIs for resources allows you to control how and when a user is linked > to a resource.
*if* they wanted all the photos, then spidering the site isn't exactly difficult, see wget -m. They'll end up with more than they need, but it'll all be local, and it'd take them minutes to then just weed out the photos - obscuring urls and using random ids just appears to be a waste of time for public content. -- Brett Parker -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.