When I update the form, I want to hide the id part in the url part. In what most logical way should I do this? Codes below
form=HedefForm(request.POST or None, instance=hedef)
group_id = request.user.groups.values_list(‘id’, flat=True).first()
mm several ways you could do this:
- always the same path, and replace the /pk/ bit with a hidden input?
- keep on using the same path, but use another property of the object being modified than the primary key: a slug, a uuid, … something. That is likely to require a model change, however.
In addition to the very good recommendations suggested by @plopidou, I suggest you seriously consider what you are trying to achieve.
What are you actually looking to prevent? What problem do you think you’re going to solve?
Identifying what the root concerns are will help you identify what the appropriate solution would be. Each one of those recommendations address different concerns.
In fact, my aim is to prevent the transition to other records by typing id in the address line, and when I want to update the data received with the POST method, I cannot display the form information of the record. When I do it with the codes I specified, the id on the url is changed and the records are switched, which can be considered a security vulnerability. Since I’m new, I haven’t quite figured out how to.
Let me try to explain my problem in more detail in the image below.
Ok, keep in mind that you cannot, under any circumstance, prevent a user from changing the data coming from the browser. You must never trust submitted data.
You can reduce, but not eliminate the risk by changing from sequential IDs to something like UUIDs.
If this is a security issue you’re concerned about, then what you need to do is add a “row-level security” infrastructure to your application such that you can determine whether the current user is allowed to edit the row identified by the submitted data. If a user changes data that they’re allowed to change, that’s fine - it’s their right to do so. Otherwise, you need to add code in your view to prevent that data from being changed.
hedef = Hedef.objects.get(pk=hedef_id)
# do the form things
# or redirect elsewhere
This is linked to Ken’s remark about security. Let’s say a client hits the path
/plans/update_hedef/123456 and the id
123456 does not exist? You must think about such cases – in the example above, it’s done via the familiar python pattern “ask forgiveness rather than permission”. Your
get() could also include other filtering criteria, such as
status=Hedef.Status.ACTIVE, for example.
If you don’t handle such cases, you are likely to end up with lots and lots of 500s… :[
Rule number one: NEVER TRUST THE CLIENT.