Best Practices URL Patterns

[davidt]

I am looking for advice with regard to the following:

I have a model which has as part of the structure these two fields

job_id = models.AutoField(primary_key=True,)
job_reference = job_id = ShortUUIDField()

My question is if I include the job_id in the url, which is public facing then it is easy to guess the rest of the urls within the site.
Beacuse there are a number of items that will have the same url structure, and are posted on the same day, using the id is what makes them unique.

My questions are is this right way to proceed or is there a better alternative?

Thanks in advance

[William Caruso]

As far as putting the ID into the url, I would suggest not. Even though the ID is secure and anonymous, django's urls allow for much better ways to determine a user and put them on a page. What is your purpose for using the ID in the URL?

[Avraham Serour]

if not the id what do you suggest then?

is this a general rule for you or do you apply this only for users?

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/d39d267b-cdfc-45e8-9065-2c8521a8213f%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[David Turner]

As far as putting the id in the url it was a way of distinguishing the job form others. As I said a number of listings will be made on the same day with exactly the same content with regard to the title. My thoughts therefore were that if the id plus the tile were included in the url then this would distinguish them. If this is not a good idea then any suggestions would be welcomed as to alternatives.

Thanks

--
You received this message because you are subscribed to a topic in the Google Groups "Django users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/django-users/ieysN9sRyT0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to django-users...@googlegroups.com.

To post to this group, send email to django...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.

[ludovic coues]

You want a value to identify a specific job, different from the
job_id, to put in the url.
I would add a slug field in the model and use that.

The slug could be derived from the job title, maybe concatenated to an
UUID for uniqueness or simply an UUID different from the id.

If you are using views based on generic.DetailView, set the url to
something like r'^job/(?P<slug>[\w-]+)/$' and job done. If the slug
field isn't named slug, don't forget to set slug_field to the correct
name.


2016-07-06 19:46 GMT+02:00 'David Turner' via Django users
<django...@googlegroups.com>:

> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to django-users...@googlegroups.com.
> To post to this group, send email to django...@googlegroups.com.
> Visit this group at https://groups.google.com/group/django-users.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/django-users/CALwQ%2B-uu_-%3DSGoYpuc18AVquSJtN4wZ0i7Rps-PFP0iufyBWXw%40mail.gmail.com.

>
> For more options, visit https://groups.google.com/d/optout.

--

Cordialement, Coues Ludovic
+336 148 743 42

[Alex Heyden]

Primary keys as URL parameters are considered a security vulnerability by OWASP (https://www.owasp.org/index.php/Forced_browsing) and may affect how your code is viewed after an audit.

Consider instead how sites like Reddit handle this. The URL of a comments page has a human-readable slug at the end for increased usability, but the actual page is keyed to a hash value. Some sites take this a step further and require the slug and the hash to match to further limit forced browsing.

To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAEuG%2BTaPG%3DWy5n_MUjnU04-QbRdiPRw88_nPJ-eJHUiUxx1EYg%40mail.gmail.com.

[David Turner]

I will read up on this. Many thanks for the advice.

To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CA%2Bv0ZYVCFe7gXBuk6YYNb_61khGkJG8QtTC8XUCqNBp4MXkGLw%40mail.gmail.com.

[David Turner]

Makes sense thanks for this

To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAEuG%2BTaPG%3DWy5n_MUjnU04-QbRdiPRw88_nPJ-eJHUiUxx1EYg%40mail.gmail.com.

[Remco Gerlich]

Why is it a problem if the URLs are guessable? In a vacuum, I would consider that a good thing.

Remco Gerlich

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.

To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/caa61056-35de-4e03-b161-888631de9ccd%40googlegroups.com.