On Wed, 2008-03-05 at 06:44 -0800, cesco wrote: > Hi, > > my question is really basic but I'd like to make sure I'm doing the > right thing. > > Say a user owns certain objects and it has the possibility to delete > them by clicking on a "delete" link. > > I'm thinking of associating that link to a get request via a url like: > /objects/delete/<object_pk> > but this would give the possibility to a users to delete objects > created and belonging to another user by directly typing the url in > the bar and putting a random object_pk. > > What is the best practice to deal with this? > > Is it a good idea to simply check that the owner of the object is also > the one performing the get request? > > Would something like the following do the job? > if request.user.id == object.user.id: > object.delete()
If permission control matters then of course you have to check the permissions before executing the operation. This isn't unique to delete(). However it's also not a universal requirement, since not every domain has a concept of objects being owned by anybody (or any group of bodies). So you need to do whatever permission checking is appropriate for your problem domain. Malcolm -- Honk if you love peace and quiet. http://www.pointy-stick.com/blog/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
