Hi, App I'm currently working on can be accessed by either authorised admin users or authenticated customers (one customer might have a number of users on their account). A non-admin user can login and view restricted sections of the site to check stuff like invoices, orders etc.
So as an example a customer, called bob can view his company's invoices at /customer/invoices/85 (number being the invoice number viewed). In an attempt to break it I changed the url to /customer/ invoices/84 and Bob can see invoice 84 but that invoices isn't registered to him, its for a different customer entirely. Obviously I'm missing some authentication magic to stop that happening. Question is I'm not sure how to go about that - is there a straightforward way I can implement more robust user authentication so a customer only sees the invoices they are destined to view!? Code for invoice list and invoice detail: http://dpaste.com/hold/42642/ Thanks --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
