I appreciate that web2py has ways to handle this, and I also agree that
it's somewhat hackish. The problem remains, though, that we're still
exposing (publishing) internal primary keys to the browser. Isn't the main
problem the fact that we're dealing with primary key values being sent to
the
I strongly disagree with this.
Publishing record IDs does not imply indirect object reference
vulnerability. Any application that publishes record information must have
a way to reference individual records. If the individual access is not
validated than the app is vulnerable to indirect
Thanks, Massimo.
Re. needing a way to reference individual records: of course. But it
doesn't have to be the internal record id (primary key value). The php code
we used gave out unique-per-request values so that one couldn't, say, use a
key retrieved from one form in another form.
The @auth
In some sense the grid does what you say.
For example:
@auth.requires_login()
def index():
db.define_table('thing',Field('name'),auth.signature)
grid = SQLFORM.grid(db.thing.created_by==auth.user_id)
return locals()
Notice all the URLs linked by the grid are digitally signed.
I guess I need to look into the auth.signature functionality. We
already had our grid conditional be db.pages.stores_id=STORE_INFO.id but
we were able to edit Store 1's page while logged into Store 2's
administration area, just by changing the ID in the URL. Are you saying
that
I only talk for 2.0.x.
Yes. That is prevented with the default user_signature=True.
If you disable user signature with user_signature=False than you expose
yourself to major security risks and may expose the entire database.
user_signature = False should only be used for testing or if you
I should add that if user_signature=False the tables are always exposed in
readonly mode: SQLFORM.grid(..,editable=False, create=False,
deletable=False)
On Friday, 7 September 2012 14:50:56 UTC-5, Massimo Di Pierro wrote:
I only talk for 2.0.x.
Yes. That is prevented with the default
Ahhh; thanks for pointing that out. I had breezed over the mention about
digitally signed (my fault). Makes sense. I'll have to think about the
public db keys. Using them through web2py seems to be handled, though.
Thanks again.
Michael
On Friday, September 7, 2012 1:39:47 PM UTC-6, Massimo
Anyway, thank you for brining out security issues. It is very important for
web2py. The more people look at it from the security point of view, the
better.
On Friday, 7 September 2012 15:33:11 UTC-5, MichaelF wrote:
Ahhh; thanks for pointing that out. I had breezed over the mention about
How about http://web2py.com/books/default/chapter/29/06#Common-filters or
http://web2py.com/books/default/chapter/29/06#Common-fields-and-multi-tenancy
?
Anthony
On Wednesday, September 5, 2012 8:48:49 PM UTC-4, Kevin C wrote:
We did something similar but it feels very hackish, considering
Basically, we are generating a SQLFORM.grid with the following code:
db.pages.stores_id.default = STORE_DETAILS.id
query = ((db.pages.stores_id == STORE_DETAILS.id))
form = SQLFORM.grid(query=query)
return dict(form=form)
This is working perfectly fine for us. However, we have
You can do:
if request.args(0) in ['edit', 'delete']:
STORE_DETAILS.id == int(request.args(2)) or redirect(URL('default',
'wherever'))
db.pages.stores_id.default = STORE_DETAILS.id
query = ((db.pages.stores_id == STORE_DETAILS.id))
form = SQLFORM.grid(query=query)
We did something similar but it feels very hackish, considering it has
to be done in every method of the admin controller. I just wanted to
see if there was a better way.
Thank you.
Kevin Cackler
Tech Daddies
501-205-1512
http://www.techdaddies.com
On 9/5/2012 7:45 PM, Bruno Rocha wrote:
13 matches
Mail list logo