Sorry maybe my post was not very clear, I am talking about public content here, that should be accessed by anyone, even anonymous users not logged in. For instance if we talk about photos, publicly available, the url would look something like /photos/1, /photos/2 .... 1 and 2 being the pk of the object in the db. If someone wants to download or link to these photos in a totally uncontrollable way (without using an API), with that system we are making it very easy to do mass content leakage. I don't want to promote security by obscurity here, just want to know what people in the group think about it and what solutions can be implemented, or if it is relevant at all.
The idea of slug could do the trick, but wouldn't it require some sort of date or title or a combination of both in the url? Not the most convenient in this case. On Friday, March 23, 2012 12:17:02 PM UTC+1, Bastian Ballmann wrote: > > Hi Bastien, > > it's the task of the backend to manage the authorization including > users and permissions. > > If the view and permission system allows all users to see everything > and you dont want it that way than you have to check permission in your > views. > See > https://docs.djangoproject.com/en/1.3/topics/auth/<https://docs.djangoproject.com/en/1.3/topics/auth/> > > This has nothing to do with having the id in the url or not cause > hiding the id wont help you get a more secure system if your auth > backend is crappy. Security by obscurity doesnt work. > > HTH && Greets > > Basti > > > Am Fri, 23 Mar 2012 04:06:45 -0700 (PDT) > schrieb Bastien <>: > > > I am concerned about seeing the IDs of objects appearing in the URL > > and in a totally predictable manner. It is very convenient and clean > > to do all sorts of things but can be abused very easily to retrieve > > all the content of the site, ie: photos... > > Is it a good idea to try to change this behavior? Maybe with some > > sort of middleware? Is there any project doing it already? For > > instance the urls in Instagram seem to be encoded at least. > > > > -- > Bastian Ballmann / Web Developer > Notch Interactive GmbH / Badenerstrasse 571 / 8048 Zürich > Phone +41 43 818 20 91 / www.notch-interactive.com > > -- You received this message because you are subscribed to the Google Groups "Django users" group. To view this discussion on the web visit https://groups.google.com/d/msg/django-users/-/JXu3CCHKtaQJ. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
