Re: Anyone is able to delete or update other's post through url
Relying on the front end is not a secure solution. On Mon, Jun 24, 2019 at 10:37 AM Brandon Rosenbloom < brandonrosenbl...@gmail.com> wrote: > I’m kind of new to this as well but figured I would take a stab at this. > It seems to me that if you wanted to prevent users from deleting posts that > weren’t theirs, the appropriate course of action would be to simply remove > their ability to access the delete method in the first place. I would > recommend placing logic in the front end that only shows the delete option > to logged in users who are the original authors of the post. > > -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-users+unsubscr...@googlegroups.com. > To post to this group, send email to django-users@googlegroups.com. > Visit this group at https://groups.google.com/group/django-users. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-users/25b558ad-9811-4705-84b4-93dce71d30fb%40googlegroups.com > . > For more options, visit https://groups.google.com/d/optout. > -- Jarret Minkler -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at https://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAB5FS97EAYNyBX%2BkJnV06LS65LG7iFwyeyc7fTPZbE03zi7aFg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: Anyone is able to delete or update other's post through url
On June 24, 2019 4:35:45 PM GMT+02:00, Brandon Rosenbloom wrote: >I would recommend placing logic in the front end that only shows >the delete option to logged in users who are the original authors of >the post. That would be good for usability (don't give the user options that she cannot use), but is definitely not good enough in terms of security. Any slightly competent attacker would still be able to delete the post. Rule #0 in security is never to trust the client. I might have misunderstood you though, just thought this was important to point out. Kind regards, Kasper Hi Brandon, -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at https://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/AAD8D0F6-B92B-417C-BB9A-F9922D90BCD9%40stacktrace.dk. For more options, visit https://groups.google.com/d/optout.
Re: Anyone is able to delete or update other's post through url
Thanks, It works. Also, other people are able to access the draft posts
detail view through URL. I thought of a solution that I will provide only
the list of drafts and if the user clicks on it will take to the edit page
of that post. But I am not able to implement this thing.
On Monday, June 24, 2019 at 8:39:26 PM UTC+5:30, Aldian Fazrihady wrote:
>
> I would implement get_queryset method that filter blog post by
> author=self.request.user
>
> Regards,
>
> Aldian Fazrihady
>
> On Sun, 23 Jun 2019, 20:55 Gaurav Sahu, >
> wrote:
>
>> Hy, I am developing a Django Blog application. In this application, I
>> have a PostEdit view to edit the post, Delete post view to delete the post.
>> These operations can only be performed by the user who has created that
>> post. I used Delete view as a functional view and edit view as CBV. Now
>> what is happening is that any user is able to delete or edit the others
>> post through URL. In my delete post view since it is a functional based
>> view, I have used if condition to prevent another user to prevent deleting
>> someone else post. But since for post edit, I am using CBV, I am not able
>> to find a way to prevent a user from editing someone else's post.
>> So how can I prevent doing another user to edit someone else post?
>>
>>
>> class PostUpdateView(LoginRequiredMixin ,UpdateView):
>> model = Post
>> template_name = 'blog/post_form.html'
>> form_class = PostForm
>>
>> def get_context_data(self, **kwargs):
>> context = super().get_context_data(**kwargs)
>> context['title'] = 'Update'
>> return context
>>
>> def form_valid(self, form):
>> form.instance.author = self.request.user
>> form.save()
>> return super().form_valid(form)
>>
>>
>> @login_required
>> def post_delete(request, slug):
>> post = get_object_or_404(Post, slug=slug)
>> if (request.user == post.author):
>> post.delete()
>> return redirect('blog:post_list')
>> else:
>> return redirect('blog:post_detail', slug=slug)
>>
>>
>>
>>
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Django users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to django...@googlegroups.com .
>> To post to this group, send email to django...@googlegroups.com
>> .
>> Visit this group at https://groups.google.com/group/django-users.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/django-users/9b38d4e0-a30a-43ed-9af6-6c9ac545024f%40googlegroups.com
>>
>>
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/efb6c007-9aaa-48aa-af6e-2f18f0dff523%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Re: Anyone is able to delete or update other's post through url
I would implement get_queryset method that filter blog post by
author=self.request.user
Regards,
Aldian Fazrihady
On Sun, 23 Jun 2019, 20:55 Gaurav Sahu, wrote:
> Hy, I am developing a Django Blog application. In this application, I
> have a PostEdit view to edit the post, Delete post view to delete the post.
> These operations can only be performed by the user who has created that
> post. I used Delete view as a functional view and edit view as CBV. Now
> what is happening is that any user is able to delete or edit the others
> post through URL. In my delete post view since it is a functional based
> view, I have used if condition to prevent another user to prevent deleting
> someone else post. But since for post edit, I am using CBV, I am not able
> to find a way to prevent a user from editing someone else's post.
> So how can I prevent doing another user to edit someone else post?
>
>
> class PostUpdateView(LoginRequiredMixin ,UpdateView):
> model = Post
> template_name = 'blog/post_form.html'
> form_class = PostForm
>
> def get_context_data(self, **kwargs):
> context = super().get_context_data(**kwargs)
> context['title'] = 'Update'
> return context
>
> def form_valid(self, form):
> form.instance.author = self.request.user
> form.save()
> return super().form_valid(form)
>
>
> @login_required
> def post_delete(request, slug):
> post = get_object_or_404(Post, slug=slug)
> if (request.user == post.author):
> post.delete()
> return redirect('blog:post_list')
> else:
> return redirect('blog:post_detail', slug=slug)
>
>
>
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-users+unsubscr...@googlegroups.com.
> To post to this group, send email to django-users@googlegroups.com.
> Visit this group at https://groups.google.com/group/django-users.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/9b38d4e0-a30a-43ed-9af6-6c9ac545024f%40googlegroups.com
>
> .
> For more options, visit https://groups.google.com/d/optout.
>
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/CAN7EoAYzVc1Ub5HFj08imS_YLvWrEVGHE4LPpuvdr2%3D191PWYA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Anyone is able to delete or update other's post through url
I’m kind of new to this as well but figured I would take a stab at this. It seems to me that if you wanted to prevent users from deleting posts that weren’t theirs, the appropriate course of action would be to simply remove their ability to access the delete method in the first place. I would recommend placing logic in the front end that only shows the delete option to logged in users who are the original authors of the post. -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at https://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/25b558ad-9811-4705-84b4-93dce71d30fb%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Anyone is able to delete or update other's post through url
Hy, I am developing a Django Blog application. In this application, I have
a PostEdit view to edit the post, Delete post view to delete the post.
These operations can only be performed by the user who has created that
post. I used Delete view as a functional view and edit view as CBV. Now
what is happening is that any user is able to delete or edit the others
post through URL. In my delete post view since it is a functional based
view, I have used if condition to prevent another user to prevent deleting
someone else post. But since for post edit, I am using CBV, I am not able
to find a way to prevent a user from editing someone else's post.
So how can I prevent doing another user to edit someone else post?
class PostUpdateView(LoginRequiredMixin ,UpdateView):
model = Post
template_name = 'blog/post_form.html'
form_class = PostForm
def get_context_data(self, **kwargs):
context = super().get_context_data(**kwargs)
context['title'] = 'Update'
return context
def form_valid(self, form):
form.instance.author = self.request.user
form.save()
return super().form_valid(form)
@login_required
def post_delete(request, slug):
post = get_object_or_404(Post, slug=slug)
if (request.user == post.author):
post.delete()
return redirect('blog:post_list')
else:
return redirect('blog:post_detail', slug=slug)
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/9b38d4e0-a30a-43ed-9af6-6c9ac545024f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Anyone is able to delete or update other's post through url
ok -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at https://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/249163c4-5098-4706-99d8-ca203b75f89c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
