Hi Geoff, Denormalize. That would be the easiest, and likely best performing, solution. Alternatively you could fetch the User instance before your test.
Robert On Mon, Nov 1, 2010 at 11:10, Geoff Parkhurst <[email protected]> wrote: > Hi Robert > > It's the > > if pet.Owner == users.get_current_user() > > line which doesn't work - the .Owner is a reference property which > doesn't match the "get_current_user()" > > I can't figure out how to get the User at the same time (an inner join I > guess) > > I'd be most grateful for any pointers... > > Best, > Geoff > > On 1 November 2010 01:33, Robert Kluin <[email protected]> wrote: >> I do not necessarily see anything wrong with checking the user is the >> actual owner after fetching the pet. Particularly since you seem to >> require a user be logged in to fetch a pet. You could add some type >> of logging to record events where a user tries to select a pet they do >> not own. If a user makes too many such requests cut off their access. >> >> Another option, if a pet's owner can _not_ change, is to make user >> pet's parent. You could ensure users can only view pets they own by >> building the key (which contains user and the id). If there are >> relatively few pets per owner this may be an OK option. >> >> You could also do a query instead of a get. The query adds some >> overhead for successful retrievals, but it lets you filter bad >> requests before fetching the entity. >> >> It really depends on the specifics of the actual usecase, how many >> pets owners can have, if they can be transferred, and if you have many >> users that are likely to be malicious, etc.... >> >> >> >> Robert >> >> >> >> >> >> On Sun, Oct 31, 2010 at 18:57, Geoff Parkhurst >> <[email protected]> wrote: >>> Hi all... I've added the following to my model: >>> >>> class User(db.Model): >>> GoogleAccount = db.UserProperty() >>> LastLogin=db.DateTimeProperty(auto_now=True) >>> >>> class Pet(db.Model): >>> Owner = db.ReferenceProperty(User, collection_name='pets') >>> PetName = db.StringProperty() >>> >>> My URLs are trying to look something like this: >>> >>> /pets -> list view of all my pets >>> /pets/([0-9]+) -> single pet view >>> >>> I've got the list working, but the single pet view is causing me >>> problems. The digits at the end of the url are the id of the pet, and >>> I need to make sure when viewing the pet in question, it's the right >>> user trying to access it. >>> >>> If I just do: pet=models.Pet.get_by_id(int(PetId)), anyone could hack >>> the URL and see the details of any pet. >>> >>> I'm then trying to do something like this: if pet.Owner == >>> users.get_current_user() but am not getting anywhere. >>> >>> Is there a way to get the current_user into the models.Pet.get_by_id() >>> query as a parameter? Have I gone down the wrong path trying to use >>> the id in the URL (should I have used the key? - makes for an uglier >>> looking URL!) >>> >>> Many thanks again, >>> Geoff >>> >>> >>> >>> On 5 October 2010 23:15, Geoff Parkhurst <[email protected]> wrote: >>>> On 5 October 2010 22:30, Robert Kluin <[email protected]> wrote: >>>>> Are you saying that your query works, but it is returning a list >>>>> instead of a single instance? >>>>> >>>>> If maybe this is what you want? >>>>> >>>>> user = User.all().filter('GoogleAccount', >>>>> users.get_current_user()).get() >>>>> if not user: >>>>> # make a new user or something >>>>> pass >>>> >>>> Many thanks Robert - works a treat. >>>> Regards, >>>> Geoff >>>> >>> >>> -- >>> You received this message because you are subscribed to the Google Groups >>> "Google App Engine" group. >>> To post to this group, send email to [email protected]. >>> To unsubscribe from this group, send email to >>> [email protected]. >>> For more options, visit this group at >>> http://groups.google.com/group/google-appengine?hl=en. >>> >>> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Google App Engine" group. >> To post to this group, send email to [email protected]. >> To unsubscribe from this group, send email to >> [email protected]. >> For more options, visit this group at >> http://groups.google.com/group/google-appengine?hl=en. >> >> > > -- > You received this message because you are subscribed to the Google Groups > "Google App Engine" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/google-appengine?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
