On Thu, Nov 12, 2009 at 7:51 AM, Steinar Rune Eriksen <s.r.erik...@gmail.com
> wrote:
>
> (r'^portfolio/(\d{2})/$', 'portfolios.views.load_details'),
> /portfolio/3/
>
> In template the URL would be {% url portfolios.views.load_details
> portfolio.pk %}
>
> Let's say the logged in user has created 2 portfolios, given primary
> keys 3 and 5, and has clicked to view details of object with pk 3.
>
> He does not have access to 1,2,4, but would be tempted to look at
> these URLs and would be wondering if others will be able to view them
>
> Are there a way to rewrite/mask the URL, perhaps via Apache, or would
> one not use such URL mechanisms at all for this type of Web solution?]
I don't think that's the best way to protect your content from other users.
My approach would be to make sure the user only has access to the
appropriate content (i.e. his own) by filtering it in the view.
That way even if he does try to access other user's content via direct URL
he would not be able to do so.
Other than that you could use any other attribute from your model to form
the URL, you only need to make sure it is unique.
Security through obscurity is rarely a good option (*never* if by itself). I
think that a well determined user could probably see through any workarounds
to mask a URL if the request is going to the URL with an ID in it...
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-us...@googlegroups.com.
To unsubscribe from this group, send email to
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-users?hl=.
