Anyone is able to delete or update other's post through url

107 views
Skip to first unread message

Gaurav Sahu

unread,
Jun 23, 2019, 9:54:29 AM6/23/19
to Django users
Hy, I am developing a  Django Blog application. In this application, I have a PostEdit view to edit the post, Delete post view to delete the post. These operations can only be performed by the user who has created that post. I used Delete view as a functional view and edit view as CBV. Now what is happening is that any user is able to delete or edit the others post through URL. In my delete post view since it is a functional based view, I have used if condition to prevent another user to prevent deleting someone else post. But since for post edit, I am using CBV, I am not able to find a way to prevent a user from editing someone else's post.
So how can I prevent doing another user to edit someone else post?


class PostUpdateView(LoginRequiredMixin ,UpdateView):
    model = Post
    template_name = 'blog/post_form.html'
    form_class = PostForm

    def get_context_data(self, **kwargs):
        context = super().get_context_data(**kwargs)
        context['title'] = 'Update'
        return context

    def form_valid(self, form):
        form.instance.author = self.request.user
        form.save()
        return super().form_valid(form)


@login_required
def post_delete(request, slug):
    post = get_object_or_404(Post, slug=slug)
    if (request.user == post.author):
        post.delete()
        return redirect('blog:post_list')
    else:
        return redirect('blog:post_detail', slug=slug)





Brandon Rosenbloom

unread,
Jun 24, 2019, 10:38:06 AM6/24/19
to Django users
I’m kind of new to this as well but figured I would take a stab at this. It seems to me that if you wanted to prevent users from deleting posts that weren’t theirs, the appropriate course of action would be to simply remove their ability to access the delete method in the first place. I would recommend placing logic in the front end that only shows the delete option to logged in users who are the original authors of the post.

Aldian Fazrihady

unread,
Jun 24, 2019, 11:09:26 AM6/24/19
to django...@googlegroups.com
I would implement get_queryset method that filter blog post by author=self.request.user

Regards, 

Aldian Fazrihady

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/9b38d4e0-a30a-43ed-9af6-6c9ac545024f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Gaurav Sahu

unread,
Jun 24, 2019, 11:24:13 AM6/24/19
to Django users
Thanks, It works. Also, other people are able to access the draft posts detail view through URL. I thought of a solution that I will provide only the list of drafts and if the user clicks on it will take to the edit page of that post. But I am not able to implement this thing.
To unsubscribe from this group and stop receiving emails from it, send an email to django...@googlegroups.com.

Kasper Laudrup

unread,
Jun 24, 2019, 12:11:46 PM6/24/19
to Django users
On June 24, 2019 4:35:45 PM GMT+02:00, Brandon Rosenbloom <brandonr...@gmail.com> wrote:
>I would recommend placing logic in the front end that only shows
>the delete option to logged in users who are the original authors of
>the post.

That would be good for usability (don't give the user options that she cannot use), but is definitely not good enough in terms of security.

Any slightly competent attacker would still be able to delete the post. Rule #0 in security is never to trust the client.

I might have misunderstood you though, just thought this was important to point out.

Kind regards,

Kasper

Hi Brandon,

Jarret Minkler

unread,
Jun 24, 2019, 1:15:09 PM6/24/19
to django...@googlegroups.com
Relying on the front end is not a secure solution. 

On Mon, Jun 24, 2019 at 10:37 AM Brandon Rosenbloom <brandonr...@gmail.com> wrote:
I’m kind of new to this as well but figured I would take a stab at this. It seems to me that if you wanted to prevent users from deleting posts that weren’t theirs, the appropriate course of action would be to simply remove their ability to access the delete method in the first place. I would recommend placing logic in the front end that only shows the delete option to logged in users who are the original authors of the post.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.

To post to this group, send email to django...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/25b558ad-9811-4705-84b4-93dce71d30fb%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


--
Jarret Minkler
Reply all
Reply to author
Forward
0 new messages