Fixed #23482 -- Added SingleObjectMixin.query_pk_and_slug

Enabling the attribute causes get_object() to perform its lookup using both the primary key and the slug.
2025-08-03 10:34:04 +00:00 · 2014-09-12 18:23:35 -07:00 · 2014-09-12 18:23:35 -07:00 · 8c581ff394
commit 8c581ff394
parent 85f6d89313
5 changed files with 73 additions and 10 deletions
--- a/docs/ref/class-based-views/mixins-single-object.txt
+++ b/docs/ref/class-based-views/mixins-single-object.txt
@ -50,16 +50,40 @@ SingleObjectMixin

        Designates the name of the variable to use in the context.

+    .. attribute:: query_pk_and_slug
+
+        .. versionadded:: 1.8
+
+        If ``True``, causes :meth:`get_object()` to perform its lookup using
+        both the primary key and the slug. Defaults to ``False``.
+
+        This attribute can help mitigate `insecure direct object reference`_
+        attacks. When applications allow access to individual objects by a
+        sequential primary key, an attacker could brute-force guess all URLs;
+        thereby obtaining a list of all objects in the application. If users
+        with access to individual objects should be prevented from obtaining
+        this list, setting ``query_pk_and_slug`` to ``True`` will help prevent
+        the guessing of URLs as each URL will require two correct,
+        non-sequential arguments. Simply using a unique slug may serve the same
+        purpose, but this scheme allows you to have non-unique slugs.
+
+        .. _insecure direct object reference: https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References
+
    .. method:: get_object(queryset=None)

-        Returns the single object that this view will display. If
-        ``queryset`` is provided, that queryset will be used as the
-        source of objects; otherwise, :meth:`get_queryset` will be used.
-        ``get_object()`` looks for a :attr:`pk_url_kwarg` argument in the
-        arguments to the view; if this argument is found, this method performs
-        a primary-key based lookup using that value. If this argument is not
-        found, it looks for a :attr:`slug_url_kwarg` argument, and performs a
-        slug lookup using the :attr:`slug_field`.
+        Returns the single object that this view will display. If ``queryset``
+        is provided, that queryset will be used as the source of objects;
+        otherwise, :meth:`get_queryset` will be used. ``get_object()`` looks
+        for a :attr:`pk_url_kwarg` argument in the arguments to the view; if
+        this argument is found, this method performs a primary-key based lookup
+        using that value. If this argument is not found, it looks for a
+        :attr:`slug_url_kwarg` argument, and performs a slug lookup using the
+        :attr:`slug_field`.
+
+        .. versionchanged:: 1.8
+
+            When :attr:`query_pk_and_slug` is ``True``, ``get_object()`` will
+            perform its lookup using both the primary key and the slug.

    .. method:: get_queryset()

--- a/docs/releases/1.8.txt
+++ b/docs/releases/1.8.txt
@ -225,6 +225,12 @@ Generic Views
  :attr:`~django.views.generic.list.MultipleObjectMixin.ordering` or overriding
  :meth:`~django.views.generic.list.MultipleObjectMixin.get_ordering()`.

+* The new :attr:`SingleObjectMixin.query_pk_and_slug
+  <django.views.generic.detail.SingleObjectMixin.query_pk_and_slug>`
+  attribute allows changing the behavior of
+  :meth:`~django.views.generic.detail.SingleObjectMixin.get_object()`
+  so that it'll perform its lookup using both the primary key and the slug.
+
 Internationalization
 ^^^^^^^^^^^^^^^^^^^^