I will read up on this. Many thanks for the advice. On 7 July 2016 at 01:34, Alex Heyden <mindsbre...@gmail.com> wrote:
> Primary keys as URL parameters are considered a security vulnerability by > OWASP (https://www.owasp.org/index.php/Forced_browsing) and may affect > how your code is viewed after an audit. > > Consider instead how sites like Reddit handle this. The URL of a comments > page has a human-readable slug at the end for increased usability, but the > actual page is keyed to a hash value. Some sites take this a step further > and require the slug and the hash to match to further limit forced browsing. > > On Wed, Jul 6, 2016 at 3:18 PM, ludovic coues <cou...@gmail.com> wrote: > >> You want a value to identify a specific job, different from the >> job_id, to put in the url. >> I would add a slug field in the model and use that. >> >> The slug could be derived from the job title, maybe concatenated to an >> UUID for uniqueness or simply an UUID different from the id. >> >> If you are using views based on generic.DetailView, set the url to >> something like r'^job/(?P<slug>[\w-]+)/$' and job done. If the slug >> field isn't named slug, don't forget to set slug_field to the correct >> name. >> >> >> 2016-07-06 19:46 GMT+02:00 'David Turner' via Django users >> <django-users@googlegroups.com>: >> > As far as putting the id in the url it was a way of distinguishing the >> job >> > form others. As I said a number of listings will be made on the same day >> > with exactly the same content with regard to the title. My thoughts >> > therefore were that if the id plus the tile were included in the url >> then >> > this would distinguish them. If this is not a good idea then any >> suggestions >> > would be welcomed as to alternatives. >> > >> > Thanks >> > >> > On 6 July 2016 at 16:46, William Caruso <wcaruso....@gmail.com> wrote: >> >> >> >> As far as putting the ID into the url, I would suggest not. Even though >> >> the ID is secure and anonymous, django's urls allow for much better >> ways to >> >> determine a user and put them on a page. What is your purpose for >> using the >> >> ID in the URL? >> >> >> >> On Wednesday, July 6, 2016 at 10:09:59 AM UTC-4, davidt wrote: >> >>> >> >>> I am looking for advice with regard to the following: >> >>> >> >>> I have a model which has as part of the structure these two fields >> >>> >> >>> job_id = models.AutoField(primary_key=True,) >> >>> job_reference = job_id = ShortUUIDField() >> >>> >> >>> My question is if I include the job_id in the url, which is public >> facing >> >>> then it is easy to guess the rest of the urls within the site. >> >>> Beacuse there are a number of items that will have the same url >> >>> structure, and are posted on the same day, using the id is what makes >> them >> >>> unique. >> >>> >> >>> My questions are is this right way to proceed or is there a better >> >>> alternative? >> >>> >> >>> Thanks in advance >> >>> >> >> -- >> >> You received this message because you are subscribed to a topic in the >> >> Google Groups "Django users" group. >> >> To unsubscribe from this topic, visit >> >> https://groups.google.com/d/topic/django-users/ieysN9sRyT0/unsubscribe >> . >> >> To unsubscribe from this group and all its topics, send an email to >> >> django-users+unsubscr...@googlegroups.com. >> >> To post to this group, send email to django-users@googlegroups.com. >> >> Visit this group at https://groups.google.com/group/django-users. >> >> To view this discussion on the web visit >> >> >> https://groups.google.com/d/msgid/django-users/d39d267b-cdfc-45e8-9065-2c8521a8213f%40googlegroups.com >> . >> >> >> >> For more options, visit https://groups.google.com/d/optout. >> > >> > >> > -- >> > You received this message because you are subscribed to the Google >> Groups >> > "Django users" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to django-users+unsubscr...@googlegroups.com. >> > To post to this group, send email to django-users@googlegroups.com. >> > Visit this group at https://groups.google.com/group/django-users. >> > To view this discussion on the web visit >> > >> https://groups.google.com/d/msgid/django-users/CALwQ%2B-uu_-%3DSGoYpuc18AVquSJtN4wZ0i7Rps-PFP0iufyBWXw%40mail.gmail.com >> . >> > >> > For more options, visit https://groups.google.com/d/optout. >> >> >> >> -- >> >> Cordialement, Coues Ludovic >> +336 148 743 42 >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Django users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to django-users+unsubscr...@googlegroups.com. >> To post to this group, send email to django-users@googlegroups.com. >> Visit this group at https://groups.google.com/group/django-users. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/django-users/CAEuG%2BTaPG%3DWy5n_MUjnU04-QbRdiPRw88_nPJ-eJHUiUxx1EYg%40mail.gmail.com >> . >> For more options, visit https://groups.google.com/d/optout. >> > > -- > You received this message because you are subscribed to a topic in the > Google Groups "Django users" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/django-users/ieysN9sRyT0/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > django-users+unsubscr...@googlegroups.com. > To post to this group, send email to django-users@googlegroups.com. > Visit this group at https://groups.google.com/group/django-users. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-users/CA%2Bv0ZYVCFe7gXBuk6YYNb_61khGkJG8QtTC8XUCqNBp4MXkGLw%40mail.gmail.com > <https://groups.google.com/d/msgid/django-users/CA%2Bv0ZYVCFe7gXBuk6YYNb_61khGkJG8QtTC8XUCqNBp4MXkGLw%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at https://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CALwQ%2B-v5OSs04K1Pw0Gv7thm%3DD3zkpoYN3iW65v0wmHLxGiJtQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
