I would still argue that the best solution is to use a robust permissions model which would preclude this. Wherever there is code, you invariably have the potential for security flaws. The more complicated you make that code, the more chances for mistakes. On the other hand, simpler code with well-defined methods for data access (e.g., maybe you never use MyModel.objects, but rather have a custom function for filtering objects based on permissions constraints; then you only have to ensure security in one place) make for fewer mistakes and a code base which is easier to maintain.
_Nik On 9/21/2012 12:26 PM, Rohit Banga wrote: > > I don't want to filter rows by "userid" since one place we forget the > filter in the code and there is an unauthorized data access. -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
