On Jun 14, 2012 12:48 AM, "Anssi Kääriäinen" <[email protected]> wrote: > > This seems to be different from what Rails do: they have > update_attributes which updates all model attributes present in the > request, but lefts all others untouched. So, in Rails if you render > only part of the fields in update view, then you will not get the non- > included fields overwritten to NULL, which conveniently hides the > problem that the fields are in fact editable through the request. > > To me it seems there is no similar attack vector against Django's > implementation as there were against Rails. >
Right, the Django situation is already considerably more secure than the Rails status quo. They have a whitelist or blacklist of attributes that they have declared "accessible", independent of forms, making it easy to misunderstand that any form can update any accessible attribute regardless of the input fields the developer has included. Our forms only validate the fields they explicitly or implicitly include. The only way to get a security hole is to have a mismatch between the fields in your python form and the input fields in your HTML. Since all our forms are explicit, it is feasible to catch that scenario and throw an error, which I think we should do. Best, Alex Ogier -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
