Django Smart Selects - What does 'models world readable' mean??

[Mark Phillips]

I need to chain some select boxes in my admin forms to make data input less error-prone and easier. There are quite a few projects like django-smart-selects out there, but django-smart-selects seems to be quite easy to implement. However, I don't understand the implications of the warning for django-smart-selects - 

Warning: The AJAX endpoint enforces no permissions by default. This means that any model with a chained field will be world readable.

I searched the django documentation for some insights, and did not come up with anything. 

Could someone explain in more detail the issue with a world readable model? In what situations would it be irrelevant and in what situations would it be a huge security risk?

Thanks!

Mark

[Jani Tiainen]

It means that there are no permission checks implied on models - so data you expose to select fields are readable by anyone for example by using curl tool.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAEqej2OQkZH6OAnrXPW-EjagbtcC3p2bvi5F4-Kt1PcfuShUSQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.