Excuse me if I'm not very direct about what I'm talking about or need, I'm fairly new to django/python and am still in the process of understanding things.
I am creating a webapp with Django where a user will sign up, log in, create a new entry, save it, and view/edit it. Think of it as a personal diary that should be only accessible to the user who wrote it.
I've gotten pretty far in this and am using filtering in the ListView, but someone could easily use url manipulation to find other users entries.
Such that User A posts entry 4 at site.com/entry/4 and then user B is able to type that in and see the entry.
How can I go about restricting the url to only the user who posted it?
Thanks for any help, and again sorry if I'm not giving enough information or I'm not clear on what I am talking about!
Related
I have Django project and several views. In one view i want to track users spent time.
How can i do that? Maybe some libraries or django built in methods?
Little bit more about view:
when user open view he can see many photoes, and then he need to choose similar and save. Then page reloads with new photoes and task is similar, find similar photoes and submit.
I need to track and store that time what each user spent on this task.
If i check users time when he open view i don't know when she close it, and also user can just open view and chill, without doing something.
How or with i can realize it?
Sorry wasn't able to comment but hope this helps:
Make use of Django sessions 'django.contrib.sessions to check the user session (start and stop)
Use JavaScript & jQuery to track the time spent and
also check mouse events/key events to make sure the user actually does something
I want to implement a ''share on my profile'' button on my page but I have a hard time how to do so. When I try to find something like that (google/here) the results are "how to share something from your site on twitter/facebook". If there is a similar question please share the link I was not able to find something.
So i have a site where users have a profile where the liked content is displayed and I would like to give the user the option to share a Post on his own profile with a personal comment(like FB/twitter does).
My problem is that I don't know how to implement this into my models. If I want to save the "shared" post in a QuerySet in the UserProfile model I don't know where to save the comment for each shared post. If I make an extra table for all the shared posts with a extra form combined its a total mess since each post is saved individually and I don't know how to combine the existing image in to the form where the user writes his comment .
Can anybody tell me in which direction I have to walk? Feeling a bit lost on this one.
You don't need to make an extra table, django will do it for you, if you'll use ManyToManyField in your Post model.
See this docs https://docs.djangoproject.com/en/1.10/ref/models/fields/#manytomanyfield
I have a question about REST design in general and specifically what the best way to implement a solution is in Django Rest Framework. Here it the situation:
Say I have an app for keeping track of albums that the user likes. In the browser, the user sees a list of albums and each one has a check box next to it. Checking the box means you like the album. At the bottom of the page is a submit button.
I want the submit button to initiate an AJAX request that sends tp my API endpoint a list of the ids (as in, the Djano model ids) of the albums that are liked by the user.
My question is, is this a standard approach for doing this sort of thing (I am new to web stuff and REST in particular). In other words, is there a better way to handle the transmission of these data than to send an array of ids like this? As a corollary, if this is an alright approach, how does one implement this in Django Rest Framework in a way which is consistent with its intended methodology.
I am keeping this question a little vague (not presenting any code for the album serializer, for example) intentionally because I am looking to learn some fundamentals, not to debug a particular piece of code.
Thanks a lot in advance!
Consider the upvote button to the left. When you click it, a request may be sent to stackoverflow.com/question/12345/upvote. It creates an "action resource" on the db, so later you can go to your user profile and check out the list of actions you took.
You can consider doing the same thing for your application. It may be a better user experience to have immediate action taken like SO, or a "batch" request like with gmail's check boxes.
I am a Django newbie. I created an app which has a user login/registration page. Now I want to include CAPTCHA also in the registration page. Can somebody guide me how to implement this in Django as i am quite new to it. On googling I found there are many modules which do the function out of the box. If this is the way to go, then which application is a better choice? Also I found most of them were explained on the basis of using Django Forms. But I used simple HTML forms instead of Django forms. Any help would be appreciated.
Your question about which 3rd party solution is "better" is subjective, and stackoverflow doesn't generally like to answer subjective questions. Take some time and evaluate each in light of your needs.
You often don't need a fancy image captcha. Even a simple question like "what color is an orange?" will stop most spam bots. I posed a simple question on my registration form, asking the user to type the domain name of the site. Simple but very effective. You can also include an input box on the form, and hide it with CSS (display: none). If this input comes back to you filled out, chances are good a bot is trying to register.
It doesn't really matter that these 3rd party solutions are using Django forms, and you are using "simple HTML". In your registration view, you simply process request.POST. It doesn't matter how the form was generated.
I go for Google's reCAPTCHA, and its easy to integrate.
Here is a tutorial I wrote for integrating Google's reCAPTCHA in forms. Hope it helps.
You could write one yourself if you liked. All you are essentially doing is generating a number/word in your view, embedding it in the template in some robot-unfriendly way (an image for example) and then validating it when the form is posted back.
You can still use django-simple-captcha if you are using html forms instead of django forms.
Similar question: Easy-to-use django captcha or registration app with captcha?
Try: http://code.google.com/p/django-simple-captcha/
I followed the instructions at http://www.marcofucci.com/tumblelog/26/jul/2009/integrating-recaptcha-with-django/ to create a custom reCAPTCHA widget and field using the python client. You can then add it to your form with:
recaptcha = ReCaptchaField()
I'm making a SAAS and I've been asking a slew of questions on here related to the Auth system built in. I'm having trouble understanding the "why" and "how". Primarily I don't understand how it fits in with my SAAS.
I (do) know the following:
You can do this: http://docs.djangoproject.com/en/dev/topics/auth/#storing-additional-information-about-users
There are many reasons to use the built in auth system (like security) instead of rolling your own
I (don't) know the following:
class MyUserProfile(models.Model):
"""
Administrator for an Account. Can edit tickets and other stuff.
"""
user = AutoOneToOneField(User, primary_key=True)
account = models.ForeignKey(Account)
dogs_name = models.CharField(max_length=255)
In the previous example, account is just what you'd expect; an entity that's paying to use my software. user is my main concern. Somebody goes to a page and creates a UserProfile with a username and password, etc. When they do this, where does the related User get created? Do I need to create it in my view manually based on the request.POST['username'], etc, and then do
myuserprof = MyUserProfile.create(user=foo_user_just_created, account=foo_account, dogs_name='Spot')
I don't know why but for some reason I feel like I'm missing something. This idea of asking somebody to sign up for an account, and then create a MyUserProfile with a form that asks for the password, username, email, et al, and then in my view creating 2 different objects (MyUserProfile and User) with different parts of the form data. I mean I shouldn't have a User form right? Like I said, I feel like I'm either skipping a step or I'm in the wrong paradigm. I'm not new to Django, but for some reason I have trouble with things that I didn't build (I think it might be a mental problem for real at this point).
Maybe there is a good example of this sort of thing being done on some open source project.
Update: Oops, forgot to mention that in the code above I tried to use AutoOneToOneField from django-annoying, but I have no idea where all the User's attributes get set or how to decide which User object to attach to it. This stuff is driving me crazy.
Also, do I need to use the sites app to do this stuff, and finally does a "super user" have all permissions to everything (I don't want people from Account "Acme" to access account "Microshaft" objects)? Or do they just have all permissions to all views?
Somebody goes to a page and creates a UserProfile with a username and password, etc.
UserProfile doesn't have an username or password field. So it should be somebody goes to a page and create an User. Then, it creates an UserProfile associated to that newly created User.
The question is, how and when do you want this UserProfile instance to be created?
Automatically, whenever a new User is created : use signals, as described in the docs
Automatically, whenever the profile is accessed from an user instance : use AutoOneToOneField, and access the profile using user.userprofile instead of user.get_profile()
Manually. But don't forget an user might have no UserProfile associated yet, so user.get_profile() might raise a DoesNotExist exception.
When they do this, where does the related User get created?
It doesn't. You have to create it explicitely.
This idea of asking somebody to sign up for an account, and then create a MyUserProfile with a form that asks for the password, username, email, et al, and then in my view creating 2 different objects (MyUserProfile and User) with different parts of the form data. I mean I shouldn't have a User form right?
Why not? You want here to create an User and his associated profile in one go, right? You could eventually use directly the POST data, or use a Form to access to the fields, or even better, use 2 ModelForm (one for User, one for UserProfile) that you will process in the same view (maybe this question can help?)
Maybe there is a good example of this sort of thing being done on some open source project.
I suggest you check out django-registration and django-profiles.
Note
You have another way of adding information to an User object, by extending the model itsel. It will allow you to put your extra fields directly in the user model and might be easier for you to understand and use.
I won't dive into details here, have a look at that tutorial for more informations.
Other questions
I tried to use AutoOneToOneField from django-annoying, but I have no idea where all the User's attributes get set or how to decide which User object to attach to it. This stuff is driving me crazy
See above on how to use it. If you feel uncomfortable with it, the best is to follow the documentation, which recommend using a ForeignKey with unique=True in user profiles.
Also, do I need to use the sites app to do this stuff
From the site framework docs : Use it if your single Django installation powers more than one site and you need to differentiate between those sites in some way.
and finally does a "super user" have all permissions to everything (I don't want people from Account "Acme" to access account "Microshaft" objects)?
Again, from the docs, Designates that this user has all permissions without explicitly assigning them. That means that everywhere Django is using the built-in permission system (e.g. default administration pages), a super-user will be authorized.
In views you're writing yourself, or if you tweak some ModelAdmin, it's up to you to decide how you are going to check permissions.