On Sat, 2007-10-06 at 00:08 +0200, Andreas Ahlenstorf wrote: > Hi, > > At the moment, it's to possible to retrieve more data in the > templates using method calls like all() [1]. While this may be fine > in controlled environments, it may pose a risk at services where you > have to deal with user supplied templates (think of a service like > Typepad). An user might use the method calls to access data which he > isn't supposed to. > > Now, I like to know what I have to do to a) disable method calls in > the templates or b) to disable specific method calls like all() in > templates without breaking too much. > > Generally, I would favor a solution where the access to every method > is prohibited but where I can still explicitly flag a method as > accessible.
The user can only call methods on the objects you pass to the template via the context. So if you want to restrict what they can do, only pass in objects that have the methods you want to permit. This is exactly why this method of function calling isn't any kind of security problem: the view writer has precise control over what resources are supplied to template authors. For example, convert all querysets to lists in the view and pass the list into the template (or wrap it in a class that provides only an iterator over the queryset's iterator and no access to the wrapped object). Regards, Malcolm --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
