On Fri, Mar 23, 2012 at 12:00 PM, Brett Parker <[email protected]> wrote: > On 23 Mar 04:38, Bastien wrote: >> Sorry maybe my post was not very clear, I am talking about public content >> here, that should be accessed by anyone, even anonymous users not logged in. >> For instance if we talk about photos, publicly available, the url would >> look something like /photos/1, /photos/2 .... 1 and 2 being the pk of the >> object in the db. If someone wants to download or link to these photos in a >> totally uncontrollable way (without using an API), with that system we are >> making it very easy to do mass content leakage. I don't want to promote >> security by obscurity here, just want to know what people in the group >> think about it and what solutions can be implemented, or if it is relevant >> at all. > > Are there links on the site to those bits of content, anyways? If so, > then this is entirely irrelevant, as they're already entirely > spidarable, and there's plenty of software out there that will parse web > pages and download all content, and follow links, etc. > > Cheers, > -- > Brett Parker >
You might have a page with links to '/photos/1' and '/photos/2'. You don't want someone to try to download all the photos by guessing that there may be content at '/photos/3' as well. Using non-predictable URIs for resources allows you to control how and when a user is linked to a resource. Cheers Tom -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
