On June 24, 2019 4:35:45 PM GMT+02:00, Brandon Rosenbloom <[email protected]> wrote: >I would recommend placing logic in the front end that only shows >the delete option to logged in users who are the original authors of >the post.
That would be good for usability (don't give the user options that she cannot use), but is definitely not good enough in terms of security. Any slightly competent attacker would still be able to delete the post. Rule #0 in security is never to trust the client. I might have misunderstood you though, just thought this was important to point out. Kind regards, Kasper Hi Brandon, -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/AAD8D0F6-B92B-417C-BB9A-F9922D90BCD9%40stacktrace.dk. For more options, visit https://groups.google.com/d/optout.
