edit_inline Manipulator processor allows "stealing" of related objects
|Reported by:||Owned by:||nobody|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||yes||Patch needs improvement:||no|
This may be the desired behavior, but I'd probably consider it a security bug. I'll let you decide, and if you agree, I'll come up with a patch for it...
Let's say I have a shopping cart system. So I have two models:
class ShoppingCart(models.Model): # ... snip ... class ShoppingCartItem(models.Model): shoppingcart = models.ForeignKey(ShoppingCart, edit_inline=models.STACKED) product = models.ForeignKey(Product, core=True) quantity = models.IntegerField() # ... snip ...
Then I have a view using django.views.generic.create_update.update_object and a template that contains:
<form action="." method="post"> <input type="text" name="shoppingcartitem.0.id" value="3" /> <input type="text" name="shoppingcartitem.0.product" value="3" /> <input type="text" name="shoppingcartitem.0.quantity" value="3" /> <input type="submit" /> </form>
If Alice creates a shopping cart with one item, 3 "Product 3"'s as above, and then Mallory comes in to her own shopping cart (not actually accessing the same ShoppingCart object as Alice but a distinct on of her own) and posts to this view with the values: shoppingcartitem.0.id=3&shoppingcartitem.0.product=3&shoppingcartitem.0.quantity=100, the item will be removed from Alice's cart and placed into Mallory's cart with a quantity of 100.
I would expect that Django would beef about either a) letting Mallory reassign the ForeignKey value for ShoppingCartItem(pk=3) or b) letting Mallory alter the value of ShoppingCartItem's not related to the ShoppingCart object she's viewing. Neither occurs.
Change History (4)
comment:2 Changed 10 years ago by
|Component:||Core framework → Documentation|
|Owner:||changed from Adrian Holovaty to Jacob|
|Summary:||edit_inline Manipulator processor allows "stealing" of related objects → Fast exchanger|
|Triage Stage:||Accepted → Ready for checkin|
comment:3 Changed 10 years ago by
|Component:||Documentation → Core framework|
|Keywords:||security added; None removed|
|Owner:||changed from Jacob to Adrian Holovaty|
|Summary:||Fast exchanger → edit_inline Manipulator processor allows "stealing" of related objects|
|Triage Stage:||Ready for checkin → Accepted|