implementing functionality conditioning in templates only or with backend too?

Hi everyone,
I was wondering about the best practice in functionality conditioning (frontend only, or both in frontend and backend), in my case in terms of allowing certain users to perform certain operations on a website.
for example, the scenario I have is: auction-like website, logged-in users can add items to their watchlist, and can remove items from their watchlist.

When rendering each auction item page, using Django template conditional tags and {% user.is_authenticated %}, I can ensure the following:

  • only logged in users can perform these functionalities,
  • users that are not the owner can add the item to their watchlist, given the item is not already in their watchlist
  • users who have the item on their watchlist can only remove it.

my question is:
Is it needed in my views for these add/remove to watclist functions to ensure the same conditions, in case someone accessed the routes, not through the HTML?

Thank you in advance for the help!

Great question!

Yes, absolutely, you need to check in the view code as well. Otherwise someone could access functionality they shouldn’t be able to.

Such a mixup needn’t even be a malicious attack. Imagine a user logs in on one browser tab. Then they open another tab, and log out. Back on the first tab they can still see and click the “add to watchlist” button, triggering the view.

Such a mixup can also happen when switching between accounts in the same browser.

In general the rule is: verify everything sent to the server from the browser.

1 Like

Brilliant!!! thank you very much for the help and the elaborate explanation :slightly_smiling_face: :pray: