On Nov 12, 9:51 am, Steinar Rune Eriksen <s.r.erik...@gmail.com>
wrote:
> I have not used Django in external environments before, just Intranet
> applications.
>
> I am wondering how to mask URLs so that object IDs are not shown?
> Obviously one would create security on the server to check if a user
> has access to view a particular object, but the fact that IDs are
> siaplayed in the URL would make the Web service look hackable to a lot
> of users.
>
> I am thinking of this type of URL
>
> (r'^portfolio/(\d{2})/$', 'portfolios.views.load_details'),
> /portfolio/3/
>
> In template the URL would be {% url portfolios.views.load_details
> portfolio.pk %}
>
> Let's say the logged in user has created 2 portfolios, given primary
> keys 3 and 5, and has clicked to view details of object with pk 3.
>
> He does not have access to 1,2,4, but would be tempted to look at
> these URLs and would be wondering if others will be able to view them
>
> Are there a way to rewrite/mask the URL, perhaps via Apache, or would
> one not use such URL mechanisms at all for this type of Web solution?

How are you hoping that this would work? Obviously you have to have
some way for the URL to identify the particular portfolio, so you need
to pass some kind of unique identifier in the URL. If you don't want
to show a guessable ID, you'll need to store some other kind of
identifier in the model - perhaps a slug you could create from the
username + portfolio name, or maybe a GUID/UUID.
--
DR.

--

You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-us...@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=.


Reply via email to