pydanny
commented
9 years ago :ship:
It doesn't matter if this is the main focus of the section, you nevertheless raise a good point.
Closed topiaruss closed 9 years ago
pydanny
commented
9 years ago :ship:
It doesn't matter if this is the main focus of the section, you nevertheless raise a good point.
This is a nit, but in Example 8.3, it would be better to check permissions before leaking information about presence/absence of a certain sprinkle pk, via the 404.
I'd write:
I do accept that this is not the focus of this section, but perhaps this highlights a topic that might be mentioned elsewhere -- preventing probing of address/data spaces, wherever possible. As it happens example 8.4 does not exhibit the leakage, perhaps underlining an additional benefit of CBV - separation of concerns into narrowly defined methods. In this case only permissions testing is needed in the dispatch override. Data access is defined presumably correctly in the superclass, and one would hope the order of operations would be correct (object or 404 only after dispatch()).