Hi Balaji
It's not necessarily template views.
Let's come up with a scenario so you can see.
Let's assume you have an order form, and your customers can view that order
form by viewing:
yoururl.com/orders/?order_id=101
You think it's okay - after all the customer has to login and view their
order.
In your backend you use something like
customer_order_id = request.GET.get('order_id')
order = CustomerOrder.objects.get(id=customer_order_id)
There is a couple of problems with this.
You should NEVER use numbers as your IDs that your user sees.
-- You can potentially let competitors know how many customers you have,
or how many many orders you processed.
But wait, if you look at the query - and I have seen this before... the
query is not checking to see if the current user has permission to view the
order...
it just grabs the record with the ID
Now assume that the end user changes 101 to 102, and to 103 -- if these
records exist. They are going to get the data.
use something like uuid as your primary key to prevent this...
Also, add ownership to your queries, ex.) (id=customer_id,
customer=request.user)
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/343105a0-4bd3-42f0-ba0d-c41d2482f9e0%40googlegroups.com.
