Reputation: 801
Best way to forbidden access on object of other user in django;
Is there is best practice to forbid access to other user's objects in django? Let's say i can access to object by PK in path (some/path/to/object/PK/edit). What best way to forbid access User1 to User2 objects by pk in path?
Upvotes: 0
Views: 151
Answers (3)
Reputation: 3864
If you need more granular security than what Django provides out-of-the-box then you might want to look into one of the ACL offerings. Starting with Django 1.2 it is possible to add object/row level permissions using a third-party plugin. There are several to choose from. See this SO question for suggestions:
Django 1.2 object level permissions - third party solutions?
Upvotes: 0
Reputation: 22459
I usually create a @owner_required decorator to wrap elements with such requirements, how the logic works depends on usecase
Upvotes: 1
Reputation: 37406
You should have an association in your user model, and then in you controllers you should do all object access through your user model associations, so each user can only access each own childs. Here is a related post How to create new (unsaved) Django model with associations?
Upvotes: 0
Related Questions
- How do I restrict access in django?
- Django user access control
- Object-level permissions in Django
- Django restrict access to user objects
- How to restrict user acces to see/modify objects created by other users with Django
- Django: restrict user access to their own objects only
- Django - How can I prevent access to other users' objects?
- Django restricting access to view for certain objects
- How to control user to access my data?
- Django admin - limiting access to objects based on the user logged in