I want to share a page with clients over mail which is something like this:
https://blabla.com/docket/2443
but if I do so they can access all other pages by just changing the docket no. i.e. 2443 in this case.
I tried to use tiny-url but it's of no use. Is there any way to mask the URL to solve the above problem?
There are multiple solutions to that problem.
If that endpoint requires a login and related to a User, you can add permissions to that endpoint which makes it only accessible for the user(s) who are related to it.
If it is a public URL, You can make the id more sophisticated than an integer, you can make the id field a UUIDField, which makes it really hard to guess any other dockets ids.
Related
this is my first attempt to create a RESTful app using Flask framework. This is an API for cooking recipes. I already have basic functionality but I have encountered a problem with user accounts and content based on "logged in" user (username from authorization).
I run through many tutorials and documentations, but I have not found a solution I'm looking for. Only user/role based authentication to give or deny access to specified resource.
Simply: Everyone registered can see all users and their data, but only owner of the account can access full data and modify/delete it.
I've decided to use #auth.login_required decorator to check if user is registered and then in other methods (GET, POST etc.) use my own function to compare username from URL with username from auth header:
def is_owner(username):
if username == request.authorization.username:
return True
else:
return False
but I don't think this is a proper way of doing this. In POST, PUT, DELETE methods this is quite simple, because I either give or deny access, but in GET methods I want to return only part of information, so e.g. only username to guests, and full data containing email etc. for owner of the account. Same applies to other GET methods (return all recipes to owner or only those marked as public). This generates a problem with response because I would have to create new fields for each type of response in order to use marshal
The whole source code of this application is on my github.
This is mostly related question I've found, but I wonder if there are better ways.
There are for sure many bugs and strange ways in which I do some things as this is my first try. If you have some comments not regarding this particular question please let me know in comments or on my github page.
I am about to develop multiple sites for different real estate companies. All share the same html, sections, etc. The difference is in the content, specially the properties... But some of those properties can be shared among the rest of the companies.
I am thinking in sharing the same database and differentiate content using the url. In this way I can use only one project instead of one for each company.
Does anyone have recommendations for this kind of projects?
Thanks,
I have done that.
Was it a good idea? Yes, in my case it was. I had to reuse the same content and when we changed the content, it had to be changed on all pages. On a simple site, a triple deploy and changing the content in three different projects is kind of overkill. But whereas it works fine in a simple front-end page (that hardly even requires Django), I do not recommend it for "real" web apps.
What will break? Think about the things that your pages will share and see if it's a problem.
1) I'm guessing that if you'll want to have user login capability on the page (besides the admin login), then that's a problem, if I can use the same user for different companies that have no apparent connection whatsoever. You could be in for a lot of trouble if the companies find out that user private details aren't as private as they thought. And the same goes for the users who really don't have a clue how they ended up with a user account on a page they've never visited.
2) URLs. You can't have different ones for each company without some extra hacking. If one of the companies wants to have /about/ and the other one /company/ page, you're gonna start hacking a bad solution that will blow up in your face when the companies ask for the next page.
3) Anything else you might want to have on your page that is connected to hardcoded data or database values. I.e. social authentication etc.
What can you do about it?
If I was hellbound on solving the first one, here's what I would do:
- Override the user model and add info about the registering page
- Create custom managers for user model for each page
- Write a middleware that only lets you use the page-specific manager for the current request
All in all, I wouldn't do it in a million years. Way too hacky, way too vulnerable. Just create separate databases.
For solving the second one, you can create a multi-host middleware that checks from which domain the request comes from and returns the correct URL config. Sth similar to this . It's not really hard to rewrite and modify to your needs.
It's impossible to decide for you, but I've given you something to think about before going one way or the other. Good luck!
I wish to make a route for "forgot password"-functionality, while using Flask-Restless. My idea was that the request could look like this:
POST /api/user/<id>/forgot_password
and Flask-Restless would send this request to a custom "forgot password"-route which I provided. This way, I could define my own complex operations here on the user object (store intermediate stuff in DB, email password reset link, etc.)
I have not been able to find such functionality in the docs for Flask-Restless. Also, while trying to make a quick (hacky) separate route (outside of Flask-Restless) which simply corresponded to the above route, Flask-Restless still picked up on the request and returned a 405 (Method Not Allowed).
One can imagine this kind of functionality for other complex operations as well (e.g. change password, change email).
Is it possible to achieve this routing scheme somehow? If so, how?
If not, what would be an alternative? An ordinary route in a separate blueprint?
This is not possible within the Flask-Restless extension. One might be able to add it manually.
I made a feature request for this on the Flask-Restless issue tracker, and it was determined to be out of scope by the author.
I'm new to Django and I'm working on the public website for a small company.
I'm facing an issue that I guess has already been encountered by lots a django noobs,
but I can't manage to find a good solution.
My problem is that there some informations (contact address, office phone number, company description...) that I use in nearly all of my views and are by nature unique (undertand: a database table with only 1 row). I currently store these informations has a model in my databse, but I find it a bit weird issue an additional database request each time (each view)
I need to access them. However, I need my client to be able to edit these informations (by the admin interface).
So, please, is there a django idiom to handle such an use case ?
Thx in advance.
If you look into caching solutions, they will probably do what you need.
The general queryset caching solution I use in johnny-cache, but for what you need, you can probably just load it up from the db and store it in the cache.
What you want to do is use select_related('contact_profile','office_data') etc when you query the items in your view, and in the admin, instead of registering all the data separately just use the InlineAdmin class for the Admin site and you will be able to edit all the information as if it was a single entity.
Check out the django docs for more information.
How can I create a single log-in and profile for a network of three sites using Django?
I have a network of three sites and instead of having the user create a profile at each of the three sites, I'd like the user to only need to register one time, and then be able to use all three.
Is there an elegant solution to this problem?
Let the sites share the databases. Hence they will have a common user table.
Take a look at the django sites framework: http://docs.djangoproject.com/en/dev/ref/contrib/sites/
Depends on your server(s).
Do all the sites have access to the same DB? Then use dcrodjer's answer.
If not, you can implement a OAuth style Single Signon Service, that the other sites authenticate against.
Ex:
site1.example.com
site2.example.com
site3.example.com
siteN.example.com
Would auth against oauth.example.com
If you can put those three sites into subdomains of a single domain, then I'm almost sure you can stick to what Django offers. What I'm writing about is something like this:
site1.mydomain.com
site2.mydomain.com
site3.mydomain.com
-- where login is implemented at mydomain.com.
Basically, mydomain.com should serve a small Django page that implements only the login form and maintains session for ".mydomain.com" domain (note the leading dot - it's required for the session to propagate to site1..3 subdomains). So if you log into mydomain.com, you're effectively logged into all three subsites.
And the easiest way to share server-side auth and session data is to make ubsites 1,2,3 use two databases, one small database shared with mydomain.com for auth and session data, and the other one specific to given site.