Home/ Questions/Q 6564283
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-25T13:56:50+00:00

I’m creating an app which can create, edit or view a place. When I

  • 0

I’m creating an app which can create, edit or view a place.

When I edit or view a place, I pass the ‘id’ field throught the URL, for example:

/places/place/1

/places/place/2

When I try to edit a place I do:

place_detail.html

<a href="{% url places_edit_place place.id %}">Edit</a>

The ‘place’ var is a form.

url.py

urlpatterns = patterns('',
    url(r'^edit_place/(?P<id_place>\w+)/$',
        views.edit_place,
        name='places_edit_place'),
    )

view.py

def edit_place(request, id_place, template_name='places/edit_place.html'):

I receive the ‘id’ field of a place object in the ‘id_place’ arg. But if I change in the url the ‘id’ arg (/places/edit_place/1 to /places/edit_place/2), the web page go to the second place to be edited and an user could change this arg like he wants.

How I can send this private ‘id’ arg from a template to a view without the user can’t see it.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Don’t.

    If your app has rules to determine which places a user can edit, you should implement some business logic to ensure that the user can’t edit that place, even if they happen to go the URL to do so. You can use Django’s authorization decorators to ensure that the user can’t access anything they shouldn’t.

    • 0