I'm working on a question and answer system with django. my problem : I want the app to get a question from an ontology and according the user's answer get the next question. how can I have all the questions and user's answers displayed. i'm new to django, I don't know if I can use session with unauthenticated user and if I need to use websocket with the django channels library.
Given that you want to work with anonymous users the simplest way to go is to add a hidden field on the page and use it to track the user progress. The field can contain virtual session id that will point at a model record in the backend, or the entire Q/A session(ugly but fast and easy). Using REST or sockets would require similar approach.
I can't tell from the top of my mind if you can step on top of the built in session system. It will work for registered users, but I do believe that for anonymous users it gets reset on refresh(may be wrong here).
Related
Currently I implemented a login routine for the website I am working on, according to This Tutorial.
Also I am not authenticating the user with djangos own system, because I am using authentication against the LDAP of my company (django-auth-ldap).
Currently I am using a general user to login to the database, which has universal access to all data, which also gives full access to any user logging in to the website.
To avoid that I would like to know how I can connect to the database as the individual user, who just logged in to the website.
Thanks in advance and sorry for bad english
Restricting user access to functionality and authenticating with the DB are handled separately in Django. You might be able to read the privileges of your users from the DB and map them to Django permissions but this is non-trivial (about Permissions see https://docs.djangoproject.com/en/2.1/topics/auth/default/#permissions-and-authorization).
In a UI/UX that has functionalities restricted depending on authorization, the frontend and backend need to be aware that permissions need to be checked and missing authorization needs to be communicated in some way or other to the user.
Example:
Users in group A are allowed to delete X. They see the "delete" button and there might also be an AJAX call that can delete X.
Users in group B are not allowed to delete X. They do not see the delete button and the AJAX call that can delete X needs to check for that permission and/or user group membership.
If you are only using a DB level authorization layer than - how would you know if the "delete" button should be displayed and for what to check in the AJAX call?
hi!
If I'm getting your problem correctly, the user you are creating is a Super User every time right?
Well if you are using Django auth.User model, you can just make User_object.is_super to False and then restrict the access of users though if-else in view! (User_object is the object of the auth.User model)
Does that made any sense?
//BTW, a side-note, a mistake I made while making my first custom user model: make sure to store your passwords hashed using Django hashes and salts!
I've created a custom user model (AbstractBaseUser) so that user could login into my website.
The problem is that I want to keep using Django's default user and authentication system for the admin so that staff could easily log in and manage stuff.
I saw a lot of tutorials but all of the instruct to change the setting AUTH_USER_MODEL, but if I change that I won't be able to keep using Django's default user.
Is there any solution for this?
Thanks in advance.
I have never implemented this myself, but to point you in the right direction, it may be worth having a read through this:
https://docs.djangoproject.com/en/1.10/topics/auth/customizing/#authentication-backends
By the sounds of things you may be able to write an authentication backend for your front end user model, that you can run in tandem with Django's authentication system.
If you could get this to work, I would imagine that you would then have to make sure that the front end user model, once authenticated, can not access the admin part of the site.
For me the million dollar question here is, why do you want to keep the front end and backend users on separate models? They both have the same job, to authenticate the user?
I've created several projects in the past where there are front end users and admin users. Out of the box, without any modification you set the user attribute is_staff=False for front end users and is_staff=True for the admin users; that determines whether or not a user can access the admin part of the site, and I've never had any issues with this approach.
If the front end user (or backend user) desires additional functionality, the simplest solution would be to extend the user model:
https://docs.djangoproject.com/en/1.10/topics/auth/customizing/#extending-the-existing-user-model
Alternatively you could user your could create a custom user model and use this for both.
If you're willing to provide more details, perhaps I could help further, but unless there's a strong reason for having separate user models, I'd just stick with the one and configure and extend as you need.
I hope this helps.
I want to make a django site which has no profile authentication or signing in. Anonymous users will be able to make a form that will be potentially open to anyone else on the site.
I'd like to do two things:
Somehow limit access to this form to certain people, without on site profiles. Maybe passwords/encryption keys distributed by email? Or secret one-time links using random URL's to make finding them/crawling them difficult, only accessible to those who know about them?
A way that the user who created the form can delete the form. Again, perhaps email a secret password upon creation to whoever created the form, which can let them delete the form?
Are there any Django plug-ins I should look into, or does anyone have tips about how I should go about this? I'm interested in the shareasecret site, and aspects of security in one time links without profile authentication, however, I'm not sure of best practices and ways to go about this sort of thing.
There is no best practice nor a plugin for this use case. It is a common-or-garden, simple use case which should not demand that much of code and logic that you look for some plugin or best practice. Just draw the picture you imagine, sit and write your code. if you have any exact problems in your code, then ask a question.
Given the specific site you're trying to recreate has an api, it would appear that the details aren't matched against the user, but the post itself. so simply make a model that has the two things that it requires
Query Params
SECRET_KEY: the unique key for this secret.
passphrase (if required): the passphrase is required only if the secret was create with one.
So either I'd suggest use the same method yourself, or just use their api.
I'm creating an small SaaS app in Django. It gathers data from webservers from different organizations. Once in a while it automatically needs to send out notification mails to their customers (domain owners).
I would like to let our users (the webhosters) to change the email templates to their likings/needs, before sending them out. The email templates are plain Django templates, including a number of available variables. So, i created a model for the email templates. Which can be edited by the users through a form. The have access to a limited number of template variables per email template.
Are there any security issues/risks that I need to be aware of? Or is this approach recommended.
My approach is currently aimed at server side rendering of the emails. I also checked out some solutions for client side rendering, like Dust.js, but I'm not yet convinced that it will help me.
I believe there are many answers on here already regarding this; but to summarize what I've found: It is "safe" to do so, but take care what variables/objects you expose to the user (i.e. include in the context of the template to be rendered).
render_to_string('template_name.txt', {'user': Users}) would be really bad :)
It all depends on the context in which the template will be evaluated, just make sure that no variable is passed that should be considered private.
Also, should a security bug be discovered in Django templating system, your web application would be at risk. You would have to validate the input, but you can't really do that, because the input does not have any particular structure.
So try and sandbox the process from the rest of the application, if you can. Or simply ask yourself if this feature is really necessary and if you can't just let the user specify what to include in the message by using a checklist or anything similar. At that point, validating the input becomes trivial and you don't have to expose the full template to the user.
I am building a system which serves content on external properties. I would like to track users which have not registered with my site with anonymous unique IDs. Then, if later they register with my site, I can covert them to regular Django users, but still have information related to their preferences and activities when they were anonymous.
Is there a facility to automatically set a user cookie via Django so that if they user is accepting cookies, I have a user session ID to work with?
I'd prefer not to come up with a custom solution if Django has some path to move from Anonymous to Authenticated users.
I suggest you look for sessions. They use cookies, store a unique id into a cookie which is linked to a file on your server containing their data.
https://docs.djangoproject.com/en/dev/topics/http/sessions/
I've looked for a solution to problems like this in the past. Django Lazy Signup (https://github.com/danfairs/django-lazysignup) looks like it should solve your problem and not force you to reinvent the wheel, though, fair warning I haven't personally used the project.