Question about form security.
13 views
Skip to first unread message
Chen Xu
Feb 19, 2015, 5:49:28 PM2/19/15
to django...@googlegroups.com
Hi
I am implementing a feature while building a website using Django, basically, I want user to be able to update their usernames. All of a sudden, this question comes to me, if I have the userid (ex: 1) somewhere in the form as a data attribute, if someone use firebug or something to change the data-userid to 2, and submit the form, this will result in that user 2 gets updated, right?What is the correct way to prevent this?
Thanks
--
⚡ Chen Xu ⚡
Mario Gudelj
Feb 19, 2015, 6:02:11 PM2/19/15
to django...@googlegroups.com
Because the user must be logged in to update their username you can get the current user from the request. You don't need to have their id inside the form.
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CACac-qZ-dOZqFCzS0U7LHWE6Q7HR9bapVfFbYqjawtVhWG5-MQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Chen Xu
Feb 19, 2015, 6:04:33 PM2/19/15
to django...@googlegroups.com
what if I have two addresses, id is 1 and 2, and I want to update 2, how I should distinguish 2 from 1, I mean, if I have addressid in the form, and someone modify it from 2 to 1, and that will update 1, right? How to prevent this?
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAHqTbjkXji3ggpUCPaD8qaiTBEptourA5Qrssmf3iEU22Lxkkg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
--
⚡ Chen Xu ⚡
Carl Meyer
Feb 19, 2015, 6:16:50 PM2/19/15
to django...@googlegroups.com
On 02/19/2015 04:03 PM, Chen Xu wrote:
> what if I have two addresses, id is 1 and 2, and I want to update 2, how
> I should distinguish 2 from 1, I mean, if I have addressid in the form,
> and someone modify it from 2 to 1, and that will update 1, right? How to
> prevent this?
Your server-side code must handle all security-related validation, and
> what if I have two addresses, id is 1 and 2, and I want to update 2, how
> I should distinguish 2 from 1, I mean, if I have addressid in the form,
> and someone modify it from 2 to 1, and that will update 1, right? How to
> prevent this?
must assume that no data sent from the client can be trusted. So in this
case you describe, your server-side code must have some way to know
which address(es) the currently logged-in user has the authority to edit.
Usually in this type of case I would make the address ID being edited a
part of the URL, not a form parameter (because it's used to query the
instance being edited by the ModelForm), and I would perform the access
check at the very top of the view function, often returning a 404 if the
user should not have access to that address.
If for some reason the address ID must be in the form rather than a URL
parameter, you could pass `request.user` to the form and have the form
validation check that that user is permitted to edit the given address ID.
Carl
Reply all
Reply to author
Forward
0 new messages