Hi,
my question is really basic but I'd like to make sure I'm doing the
right thing.
Say a user owns certain objects and it has the possibility to delete
them by clicking on a "delete" link.
I'm thinking of associating that link to a get request via a url like:
/objects/delete/<object_pk>
but this would give the possibility to a users to delete objects
created and belonging to another user by directly typing the url in
the bar and putting a random object_pk.
What is the best practice to deal with this?
Is it a good idea to simply check that the owner of the object is also
the one performing the get request?
Would something like the following do the job?
if request.user.id == object.user.id:
object.delete()
Is there a well known approach?
Thanks a lot
Francesco
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---
