英文:

Is returning list of app_name + codename of permissions for currently logged in user a security risk in django?

问题 {#heading}

I have an app named "todos" and inside this app I have a permission code named "add_todo". Is it a bad idea to return app name + code name (todos.add_todo) as a mechanism to control which buttons and UI to show to the user in the Frontend?

I currently wrote an endpoint that returns all of the user's permissions as a list in this format: "app_name.permission__codename". I was wondering whether this would pose a security risk or not. Also, it's worth noting that only the currently logged-in user can see his/her own permissions. 英文:

I have an app named "todos" and inside this app I have a permission code named "add_todo", Is it a bad idea to return app name + code name(todos.add_todo) as a mechanism to control which buttons and UI to show to user in the Frontend?

I currently wrote an endpoint that returns all of the user's permissions as a list in this format: "app_name.permission__codename". I was wondering whether this would pose a security risk or not. Also it's worth noting that only currently logged in user can see his/her own permissions.

答案1 {#1}

得分: 0

没有安全问题，但首选的方式是返回操作 + 应用程序名称。如果您查看权限模型，它有一个 content_type，该内容指向应用程序的模型。

所以您的代号将是：

can_add_todos
can_delete_todos

名称应该是每个单词的首字母大写，用空格代替下划线，类似的示例可以在文档中找到。英文:

No there is no security issue but prefered way is to return action + app_name. if you look at permission model it has content_type that directs to app's model.

So your codename will be: