On Thursday 12 November 2009 01:51:26 Steinar Rune Eriksen wrote:
> I have not used Django in external environments before, just Intranet
> applications.
>
> I am wondering how to mask URLs so that object IDs are not shown?
> Obviously one would create security on the server to check if a user
> has access to view a particular object, but the fact that IDs are
> siaplayed in the URL would make the Web service look hackable to a lot
> of users.
>
> I am thinking of this type of URL
>
> (r'^portfolio/(\d{2})/$', 'portfolios.views.load_details'),
> /portfolio/3/
>
> In template the URL would be {% url portfolios.views.load_details
> portfolio.pk %}
>
> Let's say the logged in user has created 2 portfolios, given primary
> keys 3 and 5, and has clicked to view details of object with pk 3.
>
> He does not have access to 1,2,4, but would be tempted to look at
> these URLs and would be wondering if others will be able to view them
>
> Are there a way to rewrite/mask the URL, perhaps via Apache, or would
> one not use such URL mechanisms at all for this type of Web solution?
>
I use slugs[1] instead of id's for my urls, most of my models have a
title/name attribute that I slugify, the title/name attribute should be unique
also, but this is how I mask things from id's.
Example:
# assumes namespaces[2] to call this:
# {% url portfolio:details portfolio.slug %}
urlpatterns = patterns('', url(r'^portfolios/(?P<slug>[\w-]+$',
'portfolio.views.load_details', name='details'),
# In models.py for the base class
from django import models
from django.template.defaultfilters import slugify
class MyBaseModel(models.Model):
title = models.CharField(max_length=50, unique=True)
# don't need to edit in the admin panel
# since it's automagically slugified in the save method
slug = models.SlugField(editable=False)
class Meta:
abstract=True
@models.permalink
def get_absolute_url(self):
return ('portfolio:details', (), {'slug': self.slug })
def save(self, *args, **kwargs):
# might want to do this during pre_save to check if changed
self.slug = slugify(self.title)
super(MyBaseModel, self).save(*args, **kwargs)
urls should look like: /portfolio/my-cool-pictures for the portfolio with the
title "My Cool Pictures"
[1] http://docs.djangoproject.com/en/dev/ref/models/fields/#slugfield
[2] http://docs.djangoproject.com/en/dev/topics/http/urls/#topics-http-
defining-url-namespaces
Mike
He hadn't a single redeeming vice.
-- Oscar Wilde
signature.asc
Description: This is a digitally signed message part.
