I dont get it. You want to make all your stuff publicly available, but complain about the matter that everyone can access everything?
Anyway for on any reason you want not so easy guessable links why not use md5 or sha1 checksum in hex of the photo as link? Greets Basti Am Fri, 23 Mar 2012 04:38:43 -0700 (PDT) schrieb Bastien <bastien.roche...@gmail.com>: > Sorry maybe my post was not very clear, I am talking about public > content here, that should be accessed by anyone, even anonymous users > not logged in. For instance if we talk about photos, publicly > available, the url would look something > like /photos/1, /photos/2 .... 1 and 2 being the pk of the object in > the db. If someone wants to download or link to these photos in a > totally uncontrollable way (without using an API), with that system > we are making it very easy to do mass content leakage. I don't want > to promote security by obscurity here, just want to know what people > in the group think about it and what solutions can be implemented, or > if it is relevant at all. > > The idea of slug could do the trick, but wouldn't it require some > sort of date or title or a combination of both in the url? Not the > most convenient in this case. > > On Friday, March 23, 2012 12:17:02 PM UTC+1, Bastian Ballmann wrote: > > > > Hi Bastien, > > > > it's the task of the backend to manage the authorization including > > users and permissions. > > > > If the view and permission system allows all users to see everything > > and you dont want it that way than you have to check permission in > > your views. > > See > > https://docs.djangoproject.com/en/1.3/topics/auth/<https://docs.djangoproject.com/en/1.3/topics/auth/> > > > > This has nothing to do with having the id in the url or not cause > > hiding the id wont help you get a more secure system if your auth > > backend is crappy. Security by obscurity doesnt work. > > > > HTH && Greets > > > > Basti > > > > > > Am Fri, 23 Mar 2012 04:06:45 -0700 (PDT) > > schrieb Bastien <>: > > > > > I am concerned about seeing the IDs of objects appearing in the > > > URL and in a totally predictable manner. It is very convenient > > > and clean to do all sorts of things but can be abused very easily > > > to retrieve all the content of the site, ie: photos... > > > Is it a good idea to try to change this behavior? Maybe with some > > > sort of middleware? Is there any project doing it already? For > > > instance the urls in Instagram seem to be encoded at least. > > > > > > > -- > > Bastian Ballmann / Web Developer > > Notch Interactive GmbH / Badenerstrasse 571 / 8048 Zürich > > Phone +41 43 818 20 91 / www.notch-interactive.com > > > > > -- Bastian Ballmann / Web Developer Notch Interactive GmbH / Badenerstrasse 571 / 8048 Zürich Phone +41 43 818 20 91 / www.notch-interactive.com -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
