Django - Editing an existing record -
i have question regarding this answer question editing existing model record django.
if have view edit record like
def edit(request, id): ... could malicious user alter id in action of form edit record other 1 edit page went to? in other words, why safe set id in phone call view opposed passing id through post?
you seem have missed part of answer:
@login_required def edit(request, id=none, template_name='article_edit_template.html'): if id: article = get_object_or_404(article, pk=id) if article.author != request.user: homecoming httpresponseforbidden() else: article = article(author=request.user) you can see check see if logged in user author of post. if not case homecoming httpresponseforbidden.
like rightly state user alter id in url , effort view edit page different record, responsibility create sure right user can edit post.
django django-views
No comments:
Post a Comment