On 8/22/06, cyberco <[EMAIL PROTECTED]> wrote:
>
> Max, I'm not sure I fully understand your reply. Currently I got things
> working by passing the user object to the template and returning its
> attribute values:
>
> ================
> <input type="hidden" name="is_superuser" id="id_is_superuser"
> value="{{user.is_superuser}}" />
> ================
>
> Is this a security hole?Yes. Never, ever, trust anything to the client's behavior. If I knew your site's URL, I could log in as a super user right now. :) What's to stop be submitting an HTTP POST w/ a parameter is_superuser=True? The browser? No, it's just bits on the wire. There is no browser. ;-) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users -~----------~----~----~----~------~----~------~--~---
