Andreas Ahlenstorf wrote:
> Hi,
>
> At the moment, it's to possible to retrieve more data in the
> templates using method calls like all() [1]. While this may be fine
> in controlled environments, it may pose a risk at services where you
> have to deal with user supplied templates (think of a service like
> Typepad). An user might use the method calls to access data which he
> isn't supposed to.
>
> Now, I like to know what I have to do to a) disable method calls in
> the templates or b) to disable specific method calls like all() in
> templates without breaking too much.
>
> Generally, I would favor a solution where the access to every method
> is prohibited but where I can still explicitly flag a method as
> accessible.
>
> Regards,
> A.
>
> [1] {% for item in foo.bar.all %}
http://www.djangoproject.com/documentation/templates_python/#rendering-a-context
"
The template system won’t execute a method if the method has
alters_data=True set. The dynamically-generated delete() and save()
methods on Django model objects get alters_data=True automatically. Example:
def sensitive_function(self):
self.database_record.delete()
sensitive_function.alters_data = True
"
Regards,
Jonathan.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---
