On Tuesday, August 30, 2011 1:31:56 PM UTC-4, Anthony wrote:
>
>
> Yes. In general, you can take one of two approaches (or some combination):
>
> - Be selective about which generic_patterns you enable for which
> specific requests -- only enable the specific generic views you need for
> specific functions.
> - Make sure your controller functions return only the variables and
> database records and fields that you are comfortable exposing to the
> public
> via generic views (i.e., don't return anything to the view that is not
> needed or is needed only conditionally for some authorized users). For
> example, in the view, don't do something like {{if auth.user:}}{{show
> some sensitive data returned by the controller action}} -- a generic
> view will expose the sensitive data because it won't check for auth.user.
>
> I should add that because it's fairly easy to slip up regarding the second
approach, it's probably wise to rely more on the first approach (i.e., be
explicit whenever you are enabling a generic view).
Anthony
