Is there a need to protect against unauthorized access to functions that return data?

P

pvgdrk2016-03-14 13:39:09

Django

pvgdrk, 2016-03-14 13:39:09

The view to display the page is invoked via the browser's address bar (main_page()) for authorized users only.
Decorators and other checks are used to restrict unauthorized access to such views.
In some project, there is a view that returns data (not related to the user model) from the database (get_data()). The request is made through the ajax function from the js script that was first loaded by main_page().
Can an unauthorized user send a request through the get_data() function and get the data using the address bar without loading the entire page? Do I need to protect every function in the project with a decorator?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

M

Maronus, 2016-03-14
@Maronus

The request is made through the ajax function from the js script that was first loaded by main_page().

Therefore, any authorized user, using the debugger in the browser, can see this request, transfer it to third parties, and these third parties will be able to load the data.
Public - yes. Any request from the client side needs to be checked. But not in the forehead in each function to write a check.
Create a method that, on any request (with a couple of exceptions) from an unauthorized user, will throw it on the form with authorization, or return 403. And call it before processing routes, as an option.