1

I have a question regarding this answer to a question about editing an existing model record with Django.

If you have a view to edit a record like

def edit(request, id):
...

could a malicious user change the id in the action of the form to edit a record other than the one whose edit page he initially went to? In other words, why is it safe to put the id in the call to the view as opposed to passing the id through POST?

Community
  • 1
  • 1
Ben
  • 20,038
  • 30
  • 112
  • 189

1 Answers1

0

You seem to have missed this part of the answer:

@login_required
def edit(request, id=None, template_name='article_edit_template.html'):
    if id:
        article = get_object_or_404(Article, pk=id)
        if article.author != request.user:
            return HttpResponseForbidden()
    else:
        article = Article(author=request.user)

You can see that we check to see if the currently logged in user is the author of the post. If this is not the case we return an HttpResponseForbidden.

Like you rightly state any user could change the id in the url and attempt to view the edit page for a different record, it is your responsibility to make sure only the correct user can edit the post.

xxx
  • 1,465
  • 1
  • 14
  • 23
  • Even so, this allows a user to edit any of his articles even if he is coming from the edit page for article 123. I would've thought it'd be better practice to somehow restrict the user from editing ANY article other than 123 if that's the one whose edit page he went to in the first place. – Ben Nov 01 '14 at 19:15
  • 1
    I don't see the problem with that. Why would you need such a restriction in place? How would you go about implementing it? An extra model field? Seems pretty redundant and what do you gain? – xxx Nov 01 '14 at 20:34