the goal entity should have a user's entity key that you get out of the session object on the server. when you then process 'complete' action, you should check first that the user's entity key in goal entity matches the one you got from server session. otherwise you're leaving yourself vulnerable.
On Apr 21, 10:08 pm, Matt C <[email protected]> wrote: > I'm writing a goal tracking application. I'd like to write the goal > entity key into a form like this: > > <form action="/complete/<entity_key>" method="post"> > > However, I don't want a malicious user to be able to guess someone > else's ID and complete their goal for them. My first thought on > getting around this is to combine the goal entity key with something > else (maybe the user's entity key), create a hash, and write them both > into the URL like this: > > <form action="/complete/<entity_key>/<combo_hash>" method="post"> > > I can then rehash upon submit and confirm that the URL was generated > by my app and the key is valid. > > 1) is there a better way to approach this problem? > > 2) if this is a good way to proceed, what is a good hash to apply here > (url friendly, reasonably fast)? Using Python. > > Thanks for any suggestions, > Matt > > -- > You received this message because you are subscribed to the Google Groups > "Google App Engine" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group > athttp://groups.google.com/group/google-appengine?hl=en. -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
