On Fri, Mar 23, 2012 at 11:38 AM, Bastien <[email protected]> wrote: > Sorry maybe my post was not very clear, I am talking about public content > here, that should be accessed by anyone, even anonymous users not logged in. > For instance if we talk about photos, publicly available, the url would look > something like /photos/1, /photos/2 .... 1 and 2 being the pk of the object > in the db. If someone wants to download or link to these photos in a totally > uncontrollable way (without using an API), with that system we are making it > very easy to do mass content leakage. I don't want to promote security by > obscurity here, just want to know what people in the group think about it > and what solutions can be implemented, or if it is relevant at all. > > The idea of slug could do the trick, but wouldn't it require some sort of > date or title or a combination of both in the url? Not the most convenient > in this case. >
If you are concerned about predictable URLs, then you could instead add a random uuid for each object, use that as an db index and index your URLs with the uuid. Your uuid field could simply be a char field, or there are several UUIDField implementations out there in the internet - ideally, you'd be using postgres (which has a uuid field type), and it would get stored as a 128 bit integer rather than a 36 character string. Cheers Tom PS: This is the uuid field I use: https://github.com/dcramer/django-uuidfield -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
