On Tue, Apr 17, 2012 at 12:42 PM, Mike <mike.t...@gmail.com> wrote: > One problem I see is that if User 1 somehow obtains a url to a view that > displays an object owned by User 2. User 1 will be able to view User 2's > object. I'll have to write code in every view function that displays > user-owned data to make sure that the user actually has permission to view > it. >
Or you could decorate your views with an appropriate barrier method. Something derived from django.contrib.auth.decorators.user_passes_test would be most appropriate. Cheers Tom -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
