On 04/03/11 4:08 PM, Eric Abrahamsen wrote:
On Fri, Mar 04 2011, Szabo, Patrick (LNG-VIE) wrote:
Hi,
Thanks for you fast response !
I've already made sure that users can only edit or delete objects that
they've created but i thought it might be even better to hide those
information.
If you put the delete link in a form "action", and have the delete view
redirect to a different url when it's done, that's about as "hidden" as
it gets. A determined user will still be able to figure out the pattern,
but if they can only delete their own resoures, then why hide it?
Kind regards
. . . . . . . . . . . . . . . . . . . . . . . . . .
Patrick Szabo
XSLT Developer
LexisNexis
Marxergasse 25, 1030 Wien
mailto:patrick.sz...@lexisnexis.at
Tel.: +43 (1) 534 52 - 1573
Fax: +43 (1) 534 52 - 146
-----Ursprüngliche Nachricht-----
Von: django-users@googlegroups.com [mailto:django-users@googlegroups.com] Im
Auftrag von Eric Abrahamsen
Gesendet: Freitag, 04. März 2011 10:46
An: django-users@googlegroups.com
Betreff: Re: parameter, but not in the URL
On Fri, Mar 04 2011, Szabo, Patrick (LNG-VIE) wrote:
127.0.0.1:800/93/1
This would delete an object with the id 93.
This is very unsecure and once the user notices how this works he
could delete any object he wants.
How can i make this more secure ?!
There's pretty much always a public-facing URL that can be used to
delete a resource. I believe the best thing is just to require that a
user be logged in to perform the action. That's most simply done with a
@login_required decorator on the
If you keep track of which users created which resources, you can
restrict them to only deleting resources they created with some simple
logic in the view.
HTH,
Eric
--
You received this message because you are subscribed to the Google Groups "Django
users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en.
Why don't you make the objects to be referred by a key rather than ID?
e.g
class Something (...):
eid = StringField(max_length=48) # additional field.
Then while creating this object, you make this eid as:
import random as r
import hashlib
eid = hashlib.sha1 ( str(r.random()) + "MY_COOL_SALT" )
then you form your URLs like:
/33bac54baa...33b/delete
This won't make it 100% secure, but will make it almost impossible to
guess an ID.
Tx
--
Shamail Tayyab
Blog: http://shamail.in/blog
--
You received this message because you are subscribed to the Google Groups "Django
users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en.
