返回当前登录用户的权限的app_name + codename列表是否在Django中存在安全风险?

huangapple go评论105阅读模式
英文:

Is returning list of app_name + codename of permissions for currently logged in user a security risk in django?

问题

I have an app named "todos" and inside this app I have a permission code named "add_todo". Is it a bad idea to return app name + code name (todos.add_todo) as a mechanism to control which buttons and UI to show to the user in the Frontend?

I currently wrote an endpoint that returns all of the user's permissions as a list in this format: "app_name.permission__codename". I was wondering whether this would pose a security risk or not. Also, it's worth noting that only the currently logged-in user can see his/her own permissions.

英文:

I have an app named "todos" and inside this app I have a permission code named "add_todo", Is it a bad idea to return app name + code name(todos.add_todo) as a mechanism to control which buttons and UI to show to user in the Frontend?

I currently wrote an endpoint that returns all of the user's permissions as a list in this format: "app_name.permission__codename". I was wondering whether this would pose a security risk or not. Also it's worth noting that only currently logged in user can see his/her own permissions.

答案1

得分: 0

没有安全问题,但首选的方式是返回操作 + 应用程序名称。如果您查看权限模型,它有一个 content_type,该内容指向应用程序的模型。

所以您的代号将是:

can_add_todos
can_delete_todos

名称应该是每个单词的首字母大写,用空格代替下划线,类似的示例可以在文档中找到。

英文:

No there is no security issue but prefered way is to return action + app_name. if you look at permission model it has content_type that directs to app's model.

So your codename will be:

can_add_todos
can_delete_todos

And name would be caps of first letter of each word and space instead of underscopes similar example is from the docs

huangapple
  • 本文由 发表于 2023年8月11日 00:57:42
  • 转载请务必保留本文链接:https://go.coder-hub.com/76877849.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定