Alan Harris-Reid a écrit :
I have a web-page where each row in a grid has edit/delete buttons to
enable the user to maintain a selected record on another page. The
buttons are in the form of a link with href='/item_edit?id=123', but
this string appears in the URL and gives clues as to how to bypass the
correct sequence of events, and could be risky if they entered the URL
directly (especially when it comes to deleting records).
Basic HTTP stuff - this is definitely not Python-related.
<OT>
Do yourself (and your users / customers / etc) a favor and read the HTTP
rfc. "GET" requests should NOT modify the server state. At least use
"POST" requests for anything that Create/Update/Delete resources.
For the record, someone once had serious problems with GET requests
deleting records - turned out to be a very bad idea when a robot started
following these links...
</OT>
Is there another way of passing a record-id to a method
href="/item/23/edit"
href="/item/edit/23"
etc
a) without it appearing in the URL?
b) without the user being able to fathom-out how to attach which id to
which URL?
Wrong solution. The correct solution is to
1/ make correct use of the request method (GET and POST at least).
2/ make sure the user performing the action has the permission to do it.
1/ won't protect your data from malicious users, but will at least avoid
accidental mistakes.
2/ by checking the user's perms when handling the POST request of course
- not by hidding "forbidden" urls.
As each link contains row-id, I guess there is nothing to stop someone
from getting the id from the page source-code.
Nor even from trying any other id (brute-force attack).
Is it safe to use the
above href method if I test for authorised credentials (user/password
stored as session variables, perhaps?) before performing the edit/delete
action?
cf above.
I am currently using CherryPy 3.2, but I guess the theory could apply to
any HTTP framework or web app..
Indeed.
</OT>
--
http://mail.python.org/mailman/listinfo/python-list
