On 12 nov, 10:51, Steinar Rune Eriksen <s.r.erik...@gmail.com> wrote:
> I have not used Django in external environments before, just Intranet
> applications.
>
> I am wondering how to mask URLs so that object IDs are not shown?
> Obviously one would create security on the server to check if a user
> has access to view a particular object, but the fact that IDs are
> siaplayed in the URL would make the Web service look hackable to a lot
> of users.
>
> I am thinking of this type of URL
>
> (r'^portfolio/(\d{2})/$', 'portfolios.views.load_details'),
> /portfolio/3/
>
> In template the URL would be {% url portfolios.views.load_details
> portfolio.pk %}
>
> Let's say the logged in user has created 2 portfolios, given primary
> keys 3 and 5, and has clicked to view details of object with pk 3.
>
> He does not have access to 1,2,4, but would be tempted to look at
> these URLs and would be wondering if others will be able to view them
>
> Are there a way to rewrite/mask the URL, perhaps via Apache, or would
> one not use such URL mechanisms at all for this type of Web solution?"Security thru obscurity" is a well-known antipattern. The obvious answer to your problem is to handle per-object (aka row-level) permissions in your application. If the rules are simply "a logged in user can only access it's own portfolios", then all you have to do is to check (in your views) if the request.user is the portofolio.owner (assuming you didn't forget to have this relationship <g>). Else you need a real row-level permissions system - which doesn't yet exists in Django itself so it'll need a bit more work. One solution might be to use authorithy (http://packages.python.org/django- authority/). But support for row-level permissions in Django itself is scheduled for the 1.2 release, and already available as a patch (http://code.djangoproject.com/ticket/11010). Note that the patch only provide _support_ for this feature - you'll still have to implement the row-level permissions by yourself (which, FWIW, is what I'm working on ATM <g>). HTH -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-us...@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=.
