担心Django的内容类型安全性

Question

I'm starting to use Django's Content-Type to allow the decoupling of the various Apps in my project and I've been liking a lot. But, something worries me: security.

The way I'm using is passing via GET, the parameters of content_type and object_id . For now, it's enough, since everything is public available in my site, anyway.

But worries me, when thinking about the private section of my site,the possibility of one user, changing the URL access information of another's. I thought many options to try to avoid this problem, but I'm not sure. Passing this in POST rather then GET seems the first thing that could be done, but that would only circumvent the real problem. Also, I thought in test the logged in user for permissions, but since I'm dealing with generic relationships it is not obvious the type of test needed to authenticate the permission. Maybe something using cookies, or context variables...

So, I thought in asking how you guys use Content-Type for these cases. I'm really missing some good examples of how to use this awesome feature in a proper manner.

Any help?

Answer 1

The answer greatly depends on your model and application. How exactly are you using the content-type framework?

Generally speaking, it's recommended to have an additional abstraction layer which controls the use of the content-type framework.

Example

Let me construct an example. Let's say you have these models: Portal , Cube and Cake . Portal and Cube are public, whereas Cake is private for users with specific permissions.

As far as i understood you, your approach is something like this:

# gets called via GET with parameters content_type_id and object_id
def modify_object(request, content_type_id, object_id)
    content_type = ContentType.objects.get_for_id(content_type_id)
    model_class = content_type.model_class()
    instance = model_class.objects.get(pk=object_id)
    # modify instance - could also be a "Cake"
    instance.save()

This is vulnerable if you want to allow only certain types of object to be modified. You could add a check for the content_type, but that does not seem very sophisticated and cleverly designed.

Instead, i would go for a less generic approach. Define methods for each of the different tasks on your models you want to allow your users:

def create_portal(request, object_id):
    portal = Portal.objects.get(pk=object_id)
    # create the portal
    portal.save()

def carry_cube(request, object_id):
    # load, move the cube and save

@permission_required('cake.can_eat')
def eat_cake(request, object_id):
    # this will only be performed if the current user has the required permissions
    # load, eat the delicious cake and save

Hopefully that information is helpful. With more input from your side it's easier to give a more detailed answer.