Hi Robert It's the
if pet.Owner == users.get_current_user() line which doesn't work - the .Owner is a reference property which doesn't match the "get_current_user()" I can't figure out how to get the User at the same time (an inner join I guess) I'd be most grateful for any pointers... Best, Geoff On 1 November 2010 01:33, Robert Kluin <[email protected]> wrote: > I do not necessarily see anything wrong with checking the user is the > actual owner after fetching the pet. Particularly since you seem to > require a user be logged in to fetch a pet. You could add some type > of logging to record events where a user tries to select a pet they do > not own. If a user makes too many such requests cut off their access. > > Another option, if a pet's owner can _not_ change, is to make user > pet's parent. You could ensure users can only view pets they own by > building the key (which contains user and the id). If there are > relatively few pets per owner this may be an OK option. > > You could also do a query instead of a get. The query adds some > overhead for successful retrievals, but it lets you filter bad > requests before fetching the entity. > > It really depends on the specifics of the actual usecase, how many > pets owners can have, if they can be transferred, and if you have many > users that are likely to be malicious, etc.... > > > > Robert > > > > > > On Sun, Oct 31, 2010 at 18:57, Geoff Parkhurst > <[email protected]> wrote: >> Hi all... I've added the following to my model: >> >> class User(db.Model): >> GoogleAccount = db.UserProperty() >> LastLogin=db.DateTimeProperty(auto_now=True) >> >> class Pet(db.Model): >> Owner = db.ReferenceProperty(User, collection_name='pets') >> PetName = db.StringProperty() >> >> My URLs are trying to look something like this: >> >> /pets -> list view of all my pets >> /pets/([0-9]+) -> single pet view >> >> I've got the list working, but the single pet view is causing me >> problems. The digits at the end of the url are the id of the pet, and >> I need to make sure when viewing the pet in question, it's the right >> user trying to access it. >> >> If I just do: pet=models.Pet.get_by_id(int(PetId)), anyone could hack >> the URL and see the details of any pet. >> >> I'm then trying to do something like this: if pet.Owner == >> users.get_current_user() but am not getting anywhere. >> >> Is there a way to get the current_user into the models.Pet.get_by_id() >> query as a parameter? Have I gone down the wrong path trying to use >> the id in the URL (should I have used the key? - makes for an uglier >> looking URL!) >> >> Many thanks again, >> Geoff >> >> >> >> On 5 October 2010 23:15, Geoff Parkhurst <[email protected]> wrote: >>> On 5 October 2010 22:30, Robert Kluin <[email protected]> wrote: >>>> Are you saying that your query works, but it is returning a list >>>> instead of a single instance? >>>> >>>> If maybe this is what you want? >>>> >>>> user = User.all().filter('GoogleAccount', >>>> users.get_current_user()).get() >>>> if not user: >>>> # make a new user or something >>>> pass >>> >>> Many thanks Robert - works a treat. >>> Regards, >>> Geoff >>> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Google App Engine" group. >> To post to this group, send email to [email protected]. >> To unsubscribe from this group, send email to >> [email protected]. >> For more options, visit this group at >> http://groups.google.com/group/google-appengine?hl=en. >> >> > > -- > You received this message because you are subscribed to the Google Groups > "Google App Engine" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/google-appengine?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
