Rather then obscuring the urls, in my mind per object level permission, or
even a simple status fields with a live(...) objects manager would do the
trick better.
One can attempt guess and access the next sequence but it won't show. I
personally use status field on almost all my models and per object level on
sites with users. See https://github.com/lukaszb/django-guardian.
Sample model managers:
class ProductCategoryManager(models.Manager):
"""
Additional methods / constants to ProductCategory's objects manager:
``ProductCategoryManager.objects.active()`` - all active instances
"""
### Model (db table) wide constants - we put these and not in model
definition to avoid circular imports.
### One can access these constants through <foo>.objects.STATUS_DISABLED
or ImageManager.STATUS_DISABLED
STATUS_DISABLED = 0
STATUS_ENABLED = 100
STATUS_ARCHIVED = 500
STATUS_CHOICES = (
(STATUS_DISABLED, "Disabled"),
(STATUS_ENABLED, "Enabled"),
(STATUS_ARCHIVED, "Archived"),
)
# we keep status and filters naming a little different as
# it is not one-to-one mapping in all situations
def live(self):
""" Returns all entries accessible through front end site"""
return self.all().filter(status=self.STATUS_ENABLED)
def current(self):
""" Returns entries that are live and considered 'fresh' """
return self.all().filter(status=self.STATUS_ENABLED, ... date range,
other condition, etc)
def retired(self):
""" Returns entries that are live and considered 'old' """
return self.all().filter(status=self.STATUS_ARCHIVED)
Then you do ProdcutCategory.objects.live() , etc.
-----Original Message-----
From: Tom Evans
Sent: Friday, March 23, 2012 8:48 AM
To: [email protected]
Subject: Re: Is it secure to have IDs show up in URLs?
On Fri, Mar 23, 2012 at 12:11 PM, Brett Parker
<[email protected]> wrote:
*if* they wanted all the photos, then spidering the site isn't exactly
difficult, see wget -m.
You assume that all the content is indexed on the website. Consider a
press release model; you may have a 'published' flag on the
PressRelease model, so that a press release being prepared does not
appear in the list of press releases on the site.
The user uploads several images to include in the press release, the
images have commercially sensitive information in them that you can
only show after the release is published.
Should someone be able to get lucky and guess the ids of photos that
have not been included in a published release?
They'll end up with more than they need, but
it'll all be local, and it'd take them minutes to then just weed out the
photos - obscuring urls and using random ids just appears to be a waste
of time for public content.
It isn't obscuring the URI; it is making it non-predictable. There are
many occasions where generating non-predictable URIs is essential, and
assigning objects a UUID (also called a GUID) is extremely common, as
it gives a way of uniquely identifying arbitrary items.
Stuff like this seems pointless and arbitrary until it's not. Only the
OP knows his needs; if he needs non-predictable URIs, he needs
non-predictable URIs.
Cheers
Tom
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en.
--
You received this message because you are subscribed to the Google Groups "Django
users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en.
