Hide id in url when updating model form

When I update the form, I want to hide the id part in the url part. In what most logical way should I do this? Codes below

views.py
def update_hedef(request,hedef_id):
hedef=Hedef.objects.get(pk=hedef_id)
form=HedefForm(request.POST or None, instance=hedef)
if form.is_valid():
hedef.donem_id=request.user.profile.aktif_donem.id
form.save()
return redirect(‘list_amaclar’)
donem_id=request.user.profile.aktif_donem.id
group_id = request.user.groups.values_list(‘id’, flat=True).first()
form.fields[“amac_name”].queryset =
Amac.objects.filter(group_id=group_id).filter(donem_id=donem_id).order_by(‘name’)
return render(request,‘plans/update_hedef.html’,{‘hedef’:hedef,‘form’:form})

urls.py
path(‘update_hedef/<hedef_id>’,views.update_hedef,name=‘update_hedef’),

test.html
Update

page1149×685 27.8 KB

mm several ways you could do this:

• always the same path, and replace the /pk/ bit with a hidden input?
• keep on using the same path, but use another property of the object being modified than the primary key: a slug, a uuid, … something. That is likely to require a model change, however.

In addition to the very good recommendations suggested by @plopidou, I suggest you seriously consider what you are trying to achieve.

What are you actually looking to prevent? What problem do you think you’re going to solve?

Identifying what the root concerns are will help you identify what the appropriate solution would be. Each one of those recommendations address different concerns.

In fact, my aim is to prevent the transition to other records by typing id in the address line, and when I want to update the data received with the POST method, I cannot display the form information of the record. When I do it with the codes I specified, the id on the url is changed and the records are switched, which can be considered a security vulnerability. Since I’m new, I haven’t quite figured out how to.

Let me try to explain my problem in more detail in the image below.

hata1656×1109 74.6 KB

Ok, keep in mind that you cannot, under any circumstance, prevent a user from changing the data coming from the browser. You must never trust submitted data.

You can reduce, but not eliminate the risk by changing from sequential IDs to something like UUIDs.

If this is a security issue you’re concerned about, then what you need to do is add a “row-level security” infrastructure to your application such that you can determine whether the current user is allowed to edit the row identified by the submitted data. If a user changes data that they’re allowed to change, that’s fine - it’s their right to do so. Otherwise, you need to add code in your view to prevent that data from being changed.

also:

try:
    hedef = Hedef.objects.get(pk=hedef_id)
    # do the form things
except Hedef.DoesNotExist:
    raise Http404
    # or redirect elsewhere

This is linked to Ken’s remark about security. Let’s say a client hits the path /plans/update_hedef/123456 and the id 123456 does not exist? You must think about such cases – in the example above, it’s done via the familiar python pattern “ask forgiveness rather than permission”. Your get() could also include other filtering criteria, such as status=Hedef.Status.ACTIVE, for example.
If you don’t handle such cases, you are likely to end up with lots and lots of 500s… :[

Rule number one: NEVER TRUST THE CLIENT.

I save the username in model as the creator when creating a record. Then in the view; when I want to open a record for view or edit; I check if the request.user is the same as user value in the record or not. And also when submitting a form I check again in view; if the saved user value is the request.user or not.
Maybe simple but prevent from view or edit by the user that is not the owner of the record.
More advanced if there is any user groups or advanced user management; for example as the custom user groups or workspace; defining the owner; directly in the table or in a junction table ( many to many) will help.