Very fascinating. There is a remark from Eric Sheridan, though, that discusses this: "I think that anytime database primary keys are exposed, an access control rule is required. There is no way to practically DOR all database primary keys in a real enterprise or post-enterprise system." The articles very much suggest that it is the developer's responsibility to implement access control rules on objects. In Django and my projects, that's done through the authentication system, sessions, and requiring login credentials. As such, I'm not worried about exposing PKs in URLs.
Saying that, if Django really wants to discourage PKs in URLs, it needs to remove the <pk> kwarg to be used in URLs, and as you mentioned, the tutorials need to be updated. -----Original Message----- From: django-users@googlegroups.com [mailto:django-users@googlegroups.com] On Behalf Of Andrew Pinkham Sent: Monday, October 22, 2018 11:51 AM To: django-users@googlegroups.com Subject: Re: Creating seperate unique ids within the same table On Oct 22, 2018, at 12:29, Matthew Pava <matthew.p...@iss.com> wrote: > I am curious why you think it is anti-practice to expose primary keys for > user-visible purposes. > My URLs all have the PK to the object in them, and any advanced user would be > able to “reverse engineer” a URL if they guess the PK of an object—and that’s > okay. https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References https://www.owasp.org/index.php/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet > Even Django tutorials suggest using the PK in the URL of an object. That's an interesting point, and I might argue is a shortcoming in the tutorial. PRs welcome! -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at https://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/79D86944-B1A3-479B-8959-9477144EBA6F%40andrewsforge.com. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at https://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/d299562d6c474b5f83da9af7e219a357%40ISS1.ISS.LOCAL. For more options, visit https://groups.google.com/d/optout.
