On Mar 5, 2008, at 7:47 AM, Malcolm Tredinnick wrote:
>
> On Wed, 2008-03-05 at 06:44 -0800, cesco wrote:
>> Hi,
>>
>> my question is really basic but I'd like to make sure I'm doing the
>> right thing.
>>
>> Say a user owns certain objects and it has the possibility to delete
>> them by clicking on a "delete" link.
>>
>> I'm thinking of associating that link to a get request via a url like:
>> /objects/delete/<object_pk>
>> but this would give the possibility to a users to delete objects
>> created and belonging to another user by directly typing the url in
>> the bar and putting a random object_pk.
It’s a bad idea to put anything that manipulates the database in a URL
like this. I usually do deletes like this: <form action="/item/delete/"
method="POST"><input type="hidden" name="id" value="{{ item.id
}}"><input type="submit" value="Delete"></form>
It’s also a good idea to use HttpResponseRedirect to prevent the user
from trying to delete it twice.
>> What is the best practice to deal with this?
>>
>> Is it a good idea to simply check that the owner of the object is also
>> the one performing the get request?
>>
>> Would something like the following do the job?
>> if request.user.id == object.user.id:
>> object.delete()
>
> If permission control matters then of course you have to check the
> permissions before executing the operation. This isn't unique to
> delete(). However it's also not a universal requirement, since not
> every
> domain has a concept of objects being owned by anybody (or any group of
> bodies). So you need to do whatever permission checking is appropriate
> for your problem domain.
>
> Malcolm
>
> --
> Honk if you love peace and quiet.
> http://www.pointy-stick.com/blog/
>
>
> >
>
--
Peter of the Norse
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---
