On Thursday 12 November 2009 01:51:26 Steinar Rune Eriksen wrote: > I have not used Django in external environments before, just Intranet > applications. > > I am wondering how to mask URLs so that object IDs are not shown? > Obviously one would create security on the server to check if a user > has access to view a particular object, but the fact that IDs are > siaplayed in the URL would make the Web service look hackable to a lot > of users. > > I am thinking of this type of URL > > (r'^portfolio/(\d{2})/$', 'portfolios.views.load_details'), > /portfolio/3/ > > In template the URL would be {% url portfolios.views.load_details > portfolio.pk %} > > Let's say the logged in user has created 2 portfolios, given primary > keys 3 and 5, and has clicked to view details of object with pk 3. > > He does not have access to 1,2,4, but would be tempted to look at > these URLs and would be wondering if others will be able to view them > > Are there a way to rewrite/mask the URL, perhaps via Apache, or would > one not use such URL mechanisms at all for this type of Web solution? >
I use slugs[1] instead of id's for my urls, most of my models have a title/name attribute that I slugify, the title/name attribute should be unique also, but this is how I mask things from id's. Example: # assumes namespaces[2] to call this: # {% url portfolio:details portfolio.slug %} urlpatterns = patterns('', url(r'^portfolios/(?P<slug>[\w-]+$', 'portfolio.views.load_details', name='details'), # In models.py for the base class from django import models from django.template.defaultfilters import slugify class MyBaseModel(models.Model): title = models.CharField(max_length=50, unique=True) # don't need to edit in the admin panel # since it's automagically slugified in the save method slug = models.SlugField(editable=False) class Meta: abstract=True @models.permalink def get_absolute_url(self): return ('portfolio:details', (), {'slug': self.slug }) def save(self, *args, **kwargs): # might want to do this during pre_save to check if changed self.slug = slugify(self.title) super(MyBaseModel, self).save(*args, **kwargs) urls should look like: /portfolio/my-cool-pictures for the portfolio with the title "My Cool Pictures" [1] http://docs.djangoproject.com/en/dev/ref/models/fields/#slugfield [2] http://docs.djangoproject.com/en/dev/topics/http/urls/#topics-http- defining-url-namespaces Mike He hadn't a single redeeming vice. -- Oscar Wilde
signature.asc
Description: This is a digitally signed message part.