stackoom
  简体   繁体   中英

Worries About Django's Content-Type Security

 原文  2013-05-28 23:48:51       django/ django-contenttypes

Question

I'm starting to use Django's Content-Type to allow the decoupling of the various Apps in my project and I've been liking a lot. But, something worries me: security.

The way I'm using is passing via GET, the parameters of content_type and object_id . For now, it's enough, since everything is public available in my site, anyway.

But worries me, when thinking about the private section of my site,the possibility of one user, changing the URL access information of another's. I thought many options to try to avoid this problem, but I'm not sure. Passing this in POST rather then GET seems the first thing that could be done, but that would only circumvent the real problem. Also, I thought in test the logged in user for permissions, but since I'm dealing with generic relationships it is not obvious the type of test needed to authenticate the permission. Maybe something using cookies, or context variables...

So, I thought in asking how you guys use Content-Type for these cases. I'm really missing some good examples of how to use this awesome feature in a proper manner.

Any help?

1 answers

solution1
 2  2013-05-29 00:16:55

The answer greatly depends on your model and application. How exactly are you using the content-type framework?

Generally speaking, it's recommended to have an additional abstraction layer which controls the use of the content-type framework.

Example

Let me construct an example. Let's say you have these models: Portal , Cube and Cake . Portal and Cube are public, whereas Cake is private for users with specific permissions.

As far as i understood you, your approach is something like this: 

# gets called via GET with parameters content_type_id and object_id
def modify_object(request, content_type_id, object_id)
    content_type = ContentType.objects.get_for_id(content_type_id)
    model_class = content_type.model_class()
    instance = model_class.objects.get(pk=object_id)
    # modify instance - could also be a "Cake"
    instance.save()

This is vulnerable if you want to allow only certain types of object to be modified. You could add a check for the content_type, but that does not seem very sophisticated and cleverly designed.

Instead, i would go for a less generic approach. Define methods for each of the different tasks on your models you want to allow your users: 

def create_portal(request, object_id):
    portal = Portal.objects.get(pk=object_id)
    # create the portal
    portal.save()

def carry_cube(request, object_id):
    # load, move the cube and save

@permission_required('cake.can_eat')
def eat_cake(request, object_id):
    # this will only be performed if the current user has the required permissions
    # load, eat the delicious cake and save

Hopefully that information is helpful. With more input from your side it's easier to give a more detailed answer.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Worries about form wizards in django: AJAX, conditionals Django Content-Type for text/xsl django DJA with swagger setting content-type Django's nested render_to_response always show content-type How do you set "Content-Type" when saving to S3 using django-storages with S3boto backend? Content-Type and Representations Django-reviews: cannot set content-type Django: Multiple Content-Type: text/html appears on html page Django content-type : how do I get an object? Django: RSS and ATOM feeds Content-Type header?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM