I have created a form that lets you create a new site with Djangos built in Site module. I have setup a url, view and template for it. Everything is working as expected.
The user will go to the URL /welcome/ when successfully created a site. But then I realized that everyone that tries to go to that URL will see the welcome content. Including Google. That is not what I want.
I want to restrict this URL to the current session and give a 404 page when others trying to go to that URL also for logged in users. I have looked at Djangos view decorators but haven't found one for my particular need.
Is this possible?
EDIT
To clarify:
I would like to ONLY display /welcome/ after the actual creation of the site. The user that CREATED this site will ONLY have permission to display that page. To others that tries to display the page it will raise a 404 (not found) error.
I'm not entirely sure what you want, but if you want to restrict a view for a certain site, you could use get_current_site().
current_site = get_current_site(request)
if not current_site.domain == 'foo.bar.com':
raise Http404
Use request.user to access the current user.
You could implement this check in your own view decorator or perhaps in custom Django middleware.
Related
I have a model in my django project that uses the UrlField to keep external urls files. I use the #login_required in my view to prevent anonymous users to get access to this content. But, in this case, a logged-in user can retrieve this information and post anywhere for everyone to use.
My intention was to create a specific path on my urls.py, with the model id as one of the parameters, and in the view called by this url it would fetch the content in the UrlField and serve the user without display any external link. Something like a proxy or mask for external urls.
Does anyone know how to do this?
I've tried to use HttpResponseRedirect, but in the end the browser keep showing the url I want to hide.
you have to make your statics files server talk with django, maybe with this
https://github.com/johnsensible/django-sendfile
Is it possible redirect to another web after login with python-social-auth?
let's say:
The example above is according to the documentation and it is working well, but when I try this:
I get the following error:
http://example.com:8000/accounts/profile/ Not Found
This makes sense; I don't have this URL defined
At this point I have been already logged in, but I see an error page.
But with the same configuration, if I redirect to my own site, this works, I think this is something about settings, but I don't know which one.
EDIT:
If I remove the next GET param in the first configuration, it raise the same error.
It isn't safe to redirect to a different domain, e.g. https://www.google.com. To understand why, imagine that I send your users a link to:
http://www.yoursite.com/login?next=http://myevilsite.com
If your login page trusted the next url, then your users will be redirected to my site after they have logged in. I could use this for phishing attacks.
To prevent against this, Django checks that the next url is safe to redirect to. If it is not safe, then it will redirect to the settings.LOGIN_REDIRECT_URL, which defaults to /accounts/profile/. You can see the code here.
I had the same problem and I think there is some situations where it is interesting to redirect to another domain (ie: you have your backend under a different domain than your frontend).
After some investigation I found that you can control which domains are safe to redirect to (https://github.com/python-social-auth/social-core/blob/1d809941ab8a99af9e1bdf12bae548202c94eaa2/social_core/actions.py#L20).
Just add this to your settings.py:
SOCIAL_AUTH_ALLOWED_REDIRECT_HOSTS = ['domain1', 'domain2']
I have my login and register on the main page, index. When the user logs in or registers successfully, everything's gravy.
However, when there's an error, Flask-Security redirects the user to a different page, /login and /register respectively. I don't see a need to include these separate pages. How do I have Flask-Security not redirect and instead show the errors right there on the index page?
I've tried setting SECURITY_{REGISTER,LOGIN}_USER_TEMPLATE='/index.html' but that did not work.
SECURITY_{REGISTER,LOGIN}_USER_TEMPLATE requires a template, you're specifying a URL. So if you change it to SECURITY_REGISTER_USER_TEMPLATE='index.html' it'll try and render the template you mention.
But what I think you really should do, is use JSON to manage your login features since you're squidging them into a single page.
Flask-Security's login and register views look out for JSON requests, and so if you send it some, it'll in turn respond with JSON, and in the case of a bad password/bad email etc, it'll include the errors in the JSON return data, so you could then handle your logins purely via Ajax.
You can see how the login watches for JSON in the source and how the returned data is rendered
I have the following user flow:
1) user registers.
2) user has a 'getting_started' page where he fills out some basic info and adds a picture.
3) user activates his email and logs in
After a user has finished filling out his info on the getting started page, if he goes back to the page getting_started/, I want the user to be redirected to his home/. What would be the easiest way to accomplish this? (As a reference, similar to the LinkedIn or Facebook Sign Up flow).
The way that comes to mind for me is to set a global variable getting_started = 1 after the user fills out the getting_started page, and on the getting_started page, do --
if getting_started:
redirect to home/
else:
...(normal getting started view)...
Is it just the getting_started view/page that you want to redirect on? Don't think in terms of global variables, think in terms of database fields!
Once your user has signed up, they will be a registered user (if you are using djangos auth app) and they will have an entry in the database. Therefore you simply have to check to see if the user is registered already: if so, redirect, otherwise allow them to continue signing up.
You could simply put a check at the start of the getting_started view to see if the user has already signed up
from django.http import HttpResponseRedirect
def getting_started_view(request):
if request.user.is_authenticated():
return HttpResponseRedirect(reverse('home_view'))
where home_view is in your urls.py:
url("...","someapp.views.viewname", name="home_view"),
...
(or you could hard code the redirect)
If you are looking for more complex redirects (maybe numerous pages that require a redirect to the home page) you should look at writing some middleware. This will allow you to intercept every request coming in, see if it's to a certain page, and redirect.
https://docs.djangoproject.com/en/dev/topics/http/middleware/?from=olddocs
The Django framework easily handles redirecting when a user fails to log in properly. However, this redirection goes to a separate login page. I can set the template to be the same as the page I logged in on, but none of my other objects exist in the new page.
For example, I have a front page that shows a bunch of news articles. On the sidebar is a login form. When the user logs in, but fails to authenticate, I would like it to return to the front page and preserve all the news articles that show. As of current, none of the news articles show up.
How can I fix this problem? Any help is appreciated.
Edit: Remember that I have dynamic content that is being displayed, and I would like it to still display! Futhermore, the main page is not the only place a user can log in. The sidebar never changes, so the user can potentially log in from any page on the site, and all of the content on that page exactly as it was still needs to be displayed upon failure to log in.
Do you want to redirect to the referring page on failed login?
... authentication code above
if user.is_authenticated():
#show success view
else:
return HttpResponseRedirect(request.META.get('HTTP_REFERER', reverse('index'))
you might want to check that referring page url is set correctly, otherwise set it to default url (assuming that your default url is named "index").
Use an <IFRAME> in the sidebar to
call the login view -- all postbacks
will happen within the iframe, so
your page stays intact. If the
visitor logs in successfully, you
can use javascript to redirect the
parent page to some other URL
Use AJAX to post the login form --
acheives the same effect as (1), but
it means your visitors will need to
have javascript-enabled browsers
I personally prefer to have the login on a separate page. If you're only worried about your visitors losing their current page (and not say, bound by a fussy client), you can have the login show up in a lightbox. I've used all three approaches in the past, and I'd be happy to post some code samples if you're interested.
This is because redirecting to a view misses the original context you use to render the page in the first place.
You are missing just a simple logic here. You are trying to render the same template again, but with no news_article list.
I suppose (in the first place), you are rendering the template which shows you Articles as well as login form, by sending two things 1. Login Form, and 2. Articles List.
But secondly, when user fails to authenticate, you are not passing the same things again. Pass those variables again as context (you can also add error message if your form is not handling error messages).
if user.is_authenticated():
#show success view
else:
return render_to_response('same_template.html', {
'error_msg': 'Username or password you provided was incorrect',
'news_articles': NewsArticles.objects.all()[:3],
'login_form': LoginForm(request.POST);
})
Edit: The reality is that, a context is used to render a template, and it's the complete responsibility of that template, what it wants to pass in further navigation. And as I see, if you are not passing something further, you are not getting it further.
If you want some automated context, develop your own context processor, something like the auth-context-processor, which automatically adds like 'user', always available to the template.
And by the way, you are going to miss that kind of context anyway, even if login is authenticated. So if that particular context is really important, either try sending the primary keys of articles along with the login form submit, or store that in global (ugliest thing ever) or just reconsider and separate the flow (good thing, I feel).