英文:
Is returning list of app_name + codename of permissions for currently logged in user a security risk in django?
问题
I have an app named "todos" and inside this app I have a permission code named "add_todo". Is it a bad idea to return app name + code name (todos.add_todo) as a mechanism to control which buttons and UI to show to the user in the Frontend?
I currently wrote an endpoint that returns all of the user's permissions as a list in this format: "app_name.permission__codename". I was wondering whether this would pose a security risk or not. Also, it's worth noting that only the currently logged-in user can see his/her own permissions.
英文:
I have an app named "todos" and inside this app I have a permission code named "add_todo", Is it a bad idea to return app name + code name(todos.add_todo) as a mechanism to control which buttons and UI to show to user in the Frontend?
I currently wrote an endpoint that returns all of the user's permissions as a list in this format: "app_name.permission__codename". I was wondering whether this would pose a security risk or not. Also it's worth noting that only currently logged in user can see his/her own permissions.
答案1
得分: 0
没有安全问题,但首选的方式是返回操作 + 应用程序名称。如果您查看权限模型,它有一个 content_type
,该内容指向应用程序的模型。
所以您的代号将是:
can_add_todos
can_delete_todos
名称应该是每个单词的首字母大写,用空格代替下划线,类似的示例可以在文档中找到。
英文:
No there is no security issue but prefered way is to return action + app_name. if you look at permission model it has content_type
that directs to app's model.
So your codename will be:
can_add_todos
can_delete_todos
And name would be caps of first letter of each word and space instead of underscopes similar example is from the docs
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论