Electronics & Programming

develissimo

Open Source electronics development and programming

  • You are not logged in.

#1 March 5, 2008 14:45:15

c.
Registered: 2009-11-02
Reputation: +  0  -
Profile   Send e-mail  

best practice to delete an object


Hi,

my question is really basic but I'd like to make sure I'm doing the
right thing.

Say a user owns certain objects and it has the possibility to delete
them by clicking on a "delete" link.

I'm thinking of associating that link to a get request via a url like:
/objects/delete/<object_pk>
but this would give the possibility to a users to delete objects
created and belonging to another user by directly typing the url in
the bar and putting a random object_pk.

What is the best practice to deal with this?

Is it a good idea to simply check that the owner of the object is also
the one performing the get request?

Would something like the following do the job?
if request.user.id == object.user.id:
object.delete()

Is there a well known approach?

Thanks a lot
Francesco
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to
For more options, visit this group athttp://groups.google.com/group/django-users?hl=en-~----------~----~----~----~------~----~------~--~---

Offline

#2 March 5, 2008 14:48:32

Malcolm T.
Registered: 2009-11-02
Reputation: +  0  -
Profile   Send e-mail  

best practice to delete an object


On Wed, 2008-03-05 at 06:44 -0800, cesco wrote:
> Hi,
>
> my question is really basic but I'd like to make sure I'm doing the
> right thing.
>
> Say a user owns certain objects and it has the possibility to delete
> them by clicking on a "delete" link.
>
> I'm thinking of associating that link to a get request via a url like:
> /objects/delete/<object_pk>
> but this would give the possibility to a users to delete objects
> created and belonging to another user by directly typing the url in
> the bar and putting a random object_pk.
>
> What is the best practice to deal with this?
>
> Is it a good idea to simply check that the owner of the object is also
> the one performing the get request?
>
> Would something like the following do the job?
> if request.user.id == object.user.id:
> object.delete()

If permission control matters then of course you have to check the
permissions before executing the operation. This isn't unique to
delete(). However it's also not a universal requirement, since not every
domain has a concept of objects being owned by anybody (or any group of
bodies). So you need to do whatever permission checking is appropriate
for your problem domain.

Malcolm

--
Honk if you love peace and quiet.http://www.pointy-stick.com/blog/--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to
For more options, visit this group athttp://groups.google.com/group/django-users?hl=en-~----------~----~----~----~------~----~------~--~---

Offline

#3 March 9, 2008 16:35:18

Peter o.
Registered: 2009-11-02
Reputation: +  0  -
Profile   Send e-mail  

best practice to delete an object


On Mar 5, 2008, at 7:47 AM, Malcolm Tredinnick wrote:
>
> On Wed, 2008-03-05 at 06:44 -0800, cesco wrote:
>> Hi,
>>
>> my question is really basic but I'd like to make sure I'm doing the
>> right thing.
>>
>> Say a user owns certain objects and it has the possibility to delete
>> them by clicking on a "delete" link.
>>
>> I'm thinking of associating that link to a get request via a url like:
>> /objects/delete/<object_pk>
>> but this would give the possibility to a users to delete objects
>> created and belonging to another user by directly typing the url in
>> the bar and putting a random object_pk.

It’s a bad idea to put anything that manipulates the database in a URL
like this. I usually do deletes like this: <form action="/item/delete/"
method="POST"><input type="hidden" name="id" value="{{ item.id
}}"><input type="submit" value="Delete"></form>

It’s also a good idea to use HttpResponseRedirect to prevent the user
from trying to delete it twice.

>> What is the best practice to deal with this?
>>
>> Is it a good idea to simply check that the owner of the object is also
>> the one performing the get request?
>>
>> Would something like the following do the job?
>> if request.user.id == object.user.id:
>> object.delete()
>
> If permission control matters then of course you have to check the
> permissions before executing the operation. This isn't unique to
> delete(). However it's also not a universal requirement, since not
> every
> domain has a concept of objects being owned by anybody (or any group of
> bodies). So you need to do whatever permission checking is appropriate
> for your problem domain.
>
> Malcolm
>
> --
> Honk if you love peace and quiet.
>http://www.pointy-stick.com/blog/>
>
> >
>
--
Peter of the Norse


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to
For more options, visit this group athttp://groups.google.com/group/django-users?hl=en-~----------~----~----~----~------~----~------~--~---

Offline

Board footer

Moderator control

Enjoy the 16th of December
PoweredBy

The Forums are managed by develissimo stuff members, if you find any issues or misplaced content please help us to fix it. Thank you! Tell us via Contact Options
Leave a Message
Welcome to Develissimo Live Support