On Thu, May 12, 2011 at 12:29 AM, Wesley Childs <childs.wes...@gmail.com>wrote:
> Why cant you do something like this to avoid exposing data if people are > guessing primary keys.... > > if request.user == Users.objects.get(id=pk-url): > Show data > Else: > raise 404 or redirect to home page > > The above requires a logged in a user but you get the idea of not allowing > people to start guessing to expose data. > You can't do this, in this case, *because* it requires a logged-in user. Specifically, the OP is looking for a way to authenticate a user based on their knowledge of a 'secret' URL, but if the URLs are predictable, then discovering the secrets is trivial. Your solution is fine once the user has been logged in, although some people would say that it can still give away too much information* Honestly, I can think of exactly two ways for the original poster to achieve his goal (and I've deployed systems using each of these): 1. Sign** the ID with a secret known only to the web server. Put the ID and the signature in the URL somewhere, and, when the user hits the view, sign the ID again, and verify that the signatures match. This doesn't hide the ID at all, but it ensures that nobody can forge a url with a different ID than the server gave them. 2. Generate a unique token for each record, randomly. Use a UUID, they're great for that. Then use the token in the URL, and look for the token in the database when the user comes back to the confirmation view. If your tokens are actually random, and large enough (say, 64 bits), then anybody trying to guess them will be wasting their time. -- Regards, Ian Clelland <clell...@gmail.com> * By looking at the database IDs, people can gauge how heavily the system is being used, or if they see a key for someone else's record, they can estimate when that record was created, by comparing it to their own data. ** And by sign, I mean HMAC. -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
