Reputation: 4576
Links within email that can edit data in database
I apologize if this is trivial but I thought this would be easy to find but I think the problem is that I'm not sure what I'm looking for.
Basically, I want to send out an email to a customer who had their pickup missed by the pickup truck to help reschedule a new date or cancel the pickup all together depending on which link in the email they clicked.
Using pk's and ID's seemed like a security flaw to link into any view as the URL could be easily altered. What protocols/libraries would I need to use to accomplish such a task? Do I just assign a UUID to each customer in my database and go off that?
Upvotes: 0
Views: 49
Answers (1)
Reputation: 2143
Having a UUID to represent the user would be fine, but keep in mind it's just a speed bump. E-mails aren't safe and can be read by a 3rd party. Even with UUID's someone can impersonate another. It sounds like it's a rather low risk issue, though. What's the worst case here? Do you have ways to mitigate it through customer support?
If you wanted to make things more secure, you'd just have a link that would require authentication to make changes to their order. It's a balance between friction with your users and security.
It seems you have the right ideas already. I'd suggest not user pk's just because they are often incremental and it's easy to just iterate through all your customers. UUIDs just increases the number space significantly that it should deter people from doing it assuming there isn't anything to be gained.
Upvotes: 1
Related Questions
- django authentication model - login with emailed link?
- Django update user email address
- django email account activaiton
- Authenticate using email and uuid
- Django sending emails with links
- creating dynamic link and sending html content with text to mail via django
- Sending a confirmation link via email on django
- Django: email user a one-time link to a view
- Django email attatchment
- Email integration