Just a quick word of warning: You're now essentially passing
unfiltered user input directly into the template loader. Depending on
what content you have in your templates, this may imply a security
risk. For instance, if you have a template that hard-codes any secure
information, such as system account information or settings or
whatever, and someone happens to guess the name of that template, the
URL pattern you're using would allow them to pull up that template
directly, even if you have authentication protecting the view that
normally accesses it.
Keep in mind, though, that this would only pull up the private
template, not the private view. So it would load the template with a
different context, and would probably not render very well. All the
same, any content that's hard-coded directly in the template, rather
than being pulled from the context, is fair game for an attacker to
access.
Consider something like this instead:
#in urls.py
def easy_template(name):
return (r'^%s/$' % name, direct_to_template, {'template': '%s.html' % name})
urlpatterns = patterns('',
(r'^$', direct_to_template, {'template':'home.html'}),
easy_template('compliance-bsa'),
easy_template('compliance-audits'),
easy_template('bsa-audits'),
easy_template('compliance-officer'),
)
That way, you get to work some DRY magic, while still being able to
explicitly declare exactly which templates are accessible through this
scheme. That's untested, by the way, but it should work.
-Gul
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---
