On Fri, Mar 04 2011, Szabo, Patrick (LNG-VIE) wrote: > Hi, > > Thanks for you fast response ! > > I've already made sure that users can only edit or delete objects that > they've created but i thought it might be even better to hide those > information.
If you put the delete link in a form "action", and have the delete view redirect to a different url when it's done, that's about as "hidden" as it gets. A determined user will still be able to figure out the pattern, but if they can only delete their own resoures, then why hide it? > > Kind regards > > > . . . . . . . . . . . . . . . . . . . . . . . . . . > Patrick Szabo > XSLT Developer > LexisNexis > Marxergasse 25, 1030 Wien > > mailto:patrick.sz...@lexisnexis.at > Tel.: +43 (1) 534 52 - 1573 > Fax: +43 (1) 534 52 - 146 > > > -----Ursprüngliche Nachricht----- > > Von: django-users@googlegroups.com [mailto:django-users@googlegroups.com] Im > Auftrag von Eric Abrahamsen > Gesendet: Freitag, 04. März 2011 10:46 > An: django-users@googlegroups.com > Betreff: Re: parameter, but not in the URL > > On Fri, Mar 04 2011, Szabo, Patrick (LNG-VIE) wrote: > >> 127.0.0.1:800/93/1 >> >> >> >> This would delete an object with the id 93. >> >> This is very unsecure and once the user notices how this works he >> could delete any object he wants. >> >> >> >> How can i make this more secure ?! > > There's pretty much always a public-facing URL that can be used to > delete a resource. I believe the best thing is just to require that a > user be logged in to perform the action. That's most simply done with a > @login_required decorator on the > > If you keep track of which users created which resources, you can > restrict them to only deleting resources they created with some simple > logic in the view. > > HTH, > Eric > > -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To post to this group, send email to django-users@googlegroups.com. > To unsubscribe from this group, send email to > django-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/django-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
