I do not necessarily see anything wrong with checking the user is the actual owner after fetching the pet. Particularly since you seem to require a user be logged in to fetch a pet. You could add some type of logging to record events where a user tries to select a pet they do not own. If a user makes too many such requests cut off their access.
Another option, if a pet's owner can _not_ change, is to make user pet's parent. You could ensure users can only view pets they own by building the key (which contains user and the id). If there are relatively few pets per owner this may be an OK option. You could also do a query instead of a get. The query adds some overhead for successful retrievals, but it lets you filter bad requests before fetching the entity. It really depends on the specifics of the actual usecase, how many pets owners can have, if they can be transferred, and if you have many users that are likely to be malicious, etc.... Robert On Sun, Oct 31, 2010 at 18:57, Geoff Parkhurst <[email protected]> wrote: > Hi all... I've added the following to my model: > > class User(db.Model): > GoogleAccount = db.UserProperty() > LastLogin=db.DateTimeProperty(auto_now=True) > > class Pet(db.Model): > Owner = db.ReferenceProperty(User, collection_name='pets') > PetName = db.StringProperty() > > My URLs are trying to look something like this: > > /pets -> list view of all my pets > /pets/([0-9]+) -> single pet view > > I've got the list working, but the single pet view is causing me > problems. The digits at the end of the url are the id of the pet, and > I need to make sure when viewing the pet in question, it's the right > user trying to access it. > > If I just do: pet=models.Pet.get_by_id(int(PetId)), anyone could hack > the URL and see the details of any pet. > > I'm then trying to do something like this: if pet.Owner == > users.get_current_user() but am not getting anywhere. > > Is there a way to get the current_user into the models.Pet.get_by_id() > query as a parameter? Have I gone down the wrong path trying to use > the id in the URL (should I have used the key? - makes for an uglier > looking URL!) > > Many thanks again, > Geoff > > > > On 5 October 2010 23:15, Geoff Parkhurst <[email protected]> wrote: >> On 5 October 2010 22:30, Robert Kluin <[email protected]> wrote: >>> Are you saying that your query works, but it is returning a list >>> instead of a single instance? >>> >>> If maybe this is what you want? >>> >>> user = User.all().filter('GoogleAccount', users.get_current_user()).get() >>> if not user: >>> # make a new user or something >>> pass >> >> Many thanks Robert - works a treat. >> Regards, >> Geoff >> > > -- > You received this message because you are subscribed to the Google Groups > "Google App Engine" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/google-appengine?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
