Hi, I'm starting to write a grade book type application. There will be many teachers that will be logging in to access their student records. The student record will contain student grades and sensitive info such as student ID number. In the model each teacher will have a primary key (pk) and each student will have a primary key. So if teacher (with pk=21) logs in and wants to update the grade for student (pk=197), the URL I'm calling to retrieve that view is "/grades/ 21/197" (ie, on the teacher page there would be a list of student names each being an <a href="/grades/xx/xxx"> as shown). I feel like by using this scheme I'm giving away too much info in the URL. Some other teacher (or person) who is NOT teacher (pk=21) could just enter that URL and look at some other teacher's grades just by "guessing" what pk to plug into the URL. What if the student pk was actually his SSN, then I wouldn't want that as part of the URL for sure.
So my newbie question is: Is there a way a better way to design/ obfuscate the URL scheme when dealing with sensitive information? I know once I get some sort of authentication in place that will help, but the idea of showing sensitive info in a URL still has me concerned. Thanks in advance. Rog --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
