Right: an integer id is not sensitive information. The problem arises (as in your original example), when a malicious user can edit the URL to change the id to another that he is not allowed to see, and your application lets him see it. It's that last part you have to prevent. After using the authorization system to determine who the user is, you need an authentication system to guarantee that users only see data they are authorized to see.
--Ned. John Shaffer wrote: > On 7/14/07, Rogelio <[EMAIL PROTECTED]> wrote: > >> yet. I guess I was >> thinking that even if the user was logged in, the URL still would be >> showing potentially >> sensitive info. I was thinking maybe I needed to create some random >> sequence of >> letters/numbers, store that in a model field and use it as the pk >> > > Use the default: > http://www.djangoproject.com/documentation/model-api/#automatic-primary-key-fields > > A student's row number isn't sensitive. > > > > > > -- Ned Batchelder, http://nedbatchelder.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
