Hi, Thanks for you fast response !
I've already made sure that users can only edit or delete objects that they've created but i thought it might be even better to hide those information. Kind regards . . . . . . . . . . . . . . . . . . . . . . . . . . Patrick Szabo XSLT Developer LexisNexis Marxergasse 25, 1030 Wien mailto:patrick.sz...@lexisnexis.at Tel.: +43 (1) 534 52 - 1573 Fax: +43 (1) 534 52 - 146 -----Ursprüngliche Nachricht----- Von: django-users@googlegroups.com [mailto:django-users@googlegroups.com] Im Auftrag von Eric Abrahamsen Gesendet: Freitag, 04. März 2011 10:46 An: django-users@googlegroups.com Betreff: Re: parameter, but not in the URL On Fri, Mar 04 2011, Szabo, Patrick (LNG-VIE) wrote: > 127.0.0.1:800/93/1 > > > > This would delete an object with the id 93. > > This is very unsecure and once the user notices how this works he > could delete any object he wants. > > > > How can i make this more secure ?! There's pretty much always a public-facing URL that can be used to delete a resource. I believe the best thing is just to require that a user be logged in to perform the action. That's most simply done with a @login_required decorator on the If you keep track of which users created which resources, you can restrict them to only deleting resources they created with some simple logic in the view. HTH, Eric -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
