On Fri, Mar 04 2011, Szabo, Patrick (LNG-VIE) wrote: > Hi, > > Thanks for you fast response ! > > I've already made sure that users can only edit or delete objects that > they've created but i thought it might be even better to hide those > information.
If you put the delete link in a form "action", and have the delete view redirect to a different url when it's done, that's about as "hidden" as it gets. A determined user will still be able to figure out the pattern, but if they can only delete their own resoures, then why hide it? > > Kind regards > > > . . . . . . . . . . . . . . . . . . . . . . . . . . > Patrick Szabo > XSLT Developer > LexisNexis > Marxergasse 25, 1030 Wien > > mailto:[email protected] > Tel.: +43 (1) 534 52 - 1573 > Fax: +43 (1) 534 52 - 146 > > > -----Ursprüngliche Nachricht----- > > Von: [email protected] [mailto:[email protected]] Im > Auftrag von Eric Abrahamsen > Gesendet: Freitag, 04. März 2011 10:46 > An: [email protected] > Betreff: Re: parameter, but not in the URL > > On Fri, Mar 04 2011, Szabo, Patrick (LNG-VIE) wrote: > >> 127.0.0.1:800/93/1 >> >> >> >> This would delete an object with the id 93. >> >> This is very unsecure and once the user notices how this works he >> could delete any object he wants. >> >> >> >> How can i make this more secure ?! > > There's pretty much always a public-facing URL that can be used to > delete a resource. I believe the best thing is just to require that a > user be logged in to perform the action. That's most simply done with a > @login_required decorator on the > > If you keep track of which users created which resources, you can > restrict them to only deleting resources they created with some simple > logic in the view. > > HTH, > Eric > > -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/django-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
