On 06/28/2015 03:00 PM, Peter of the Norse wrote: > On May 27, 2015, at 7:47 AM, Cheng Guo <cheng....@gmail.com > <mailto:cheng....@gmail.com>> wrote: >> >> Hello, >> >> I have a formset and when I render it, Django would include this line >> in the HTML: >> >> |<input id="id_form-0-id" name="form-0-id" type="hidden">| >> >> I am curious what is the purpose of having an id field here. >> >> I mean in what situation would you use it. I did look through >> Django's documentation on formset >> <https://docs.djangoproject.com/en/1.8/topics/forms/formsets/#can-delete>but >> cannot find much documentation on this. >> >> One answer I got is that this id field is the value of the primary key >> of the model bound to this form. It is there so that when the formset >> updates, people can use it to retrieve the corresponding record from >> the database. >> >> Is the above explaination correct? >> >> If this explaination is correct, then my next question is, wouldn't it >> be dangerous to expose the primary key like that? I can make a post >> call to your server with a modified pk which can mess up your database. > > So what? It’s quite likely that whoever is editing this row of the > database, also has permissions to edit the other rows as well. There’s > no reason for them to go through the hassle of manually editing a hidden > field when they can go to a different page and edit it there.
That's a bad answer. It's common in many systems for a user to have access to edit some records in a table but not others (this is often known as "object-level permissions"). If it was really possible to edit any row in the table by just manually editing the PK hidden field, that would be a serious security flaw in formsets. But it's not. Whatever queryset you pass to the model formset limits the available rows for editing. The end user can edit the PK to refer to any item in that queryset, but not any item in the table. > In general, primary keys are not security flaws. While it’s a good idea > to hide them from front-end pages, that’s mostly because they make URLs > hard to read. I have heard that you don’t want to use them publicly, > because your competitors can use them to gauge your success, but that’s > the kind of “Nice Problem to Have” that can wait until you’re bigger. Exposing primary keys themselves (e.g. in URLs) is not necessarily a security flaw. Exposing a primary key in a hidden field that can be edited to change a form to edit any row in a table often would be a serious security flaw. Carl -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/5595E969.1090205%40oddbird.net. For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: OpenPGP digital signature
