When a user login your system,he wants to edit his personal information which is on the other page.I put a hyperlink named edit on logined.html,but how can I pass the user's id to edit.html?
I am using python's web.py web framework.Please help me.Many thanks!
There are multiple ways to do this. The usual way is to have all user data in server-side session store, and only give the client-side the session ID instead of user ID and similar sensitive information.
Your form would work without the user information, and then when you are handling the submitted data, you retrieve the user information from the session and basically assume that the user submitted it. There are ways to make this assumption safer by using CSRF protection, etc.
More on sessions in web.py: http://webpy.org/sessions/
More on CSRF protection: http://webpy.org/cookbook/csrf
Related
Currently I implemented a login routine for the website I am working on, according to This Tutorial.
Also I am not authenticating the user with djangos own system, because I am using authentication against the LDAP of my company (django-auth-ldap).
Currently I am using a general user to login to the database, which has universal access to all data, which also gives full access to any user logging in to the website.
To avoid that I would like to know how I can connect to the database as the individual user, who just logged in to the website.
Thanks in advance and sorry for bad english
Restricting user access to functionality and authenticating with the DB are handled separately in Django. You might be able to read the privileges of your users from the DB and map them to Django permissions but this is non-trivial (about Permissions see https://docs.djangoproject.com/en/2.1/topics/auth/default/#permissions-and-authorization).
In a UI/UX that has functionalities restricted depending on authorization, the frontend and backend need to be aware that permissions need to be checked and missing authorization needs to be communicated in some way or other to the user.
Example:
Users in group A are allowed to delete X. They see the "delete" button and there might also be an AJAX call that can delete X.
Users in group B are not allowed to delete X. They do not see the delete button and the AJAX call that can delete X needs to check for that permission and/or user group membership.
If you are only using a DB level authorization layer than - how would you know if the "delete" button should be displayed and for what to check in the AJAX call?
hi!
If I'm getting your problem correctly, the user you are creating is a Super User every time right?
Well if you are using Django auth.User model, you can just make User_object.is_super to False and then restrict the access of users though if-else in view! (User_object is the object of the auth.User model)
Does that made any sense?
//BTW, a side-note, a mistake I made while making my first custom user model: make sure to store your passwords hashed using Django hashes and salts!
So I have lots of forms that aren't attached to models, like a search form. I don't want people to be able to access these without first verifying their account through an email. How is the best way to limit their ability to do this? Is it through custom permissions? If so, how do I go about this? Thank you so much!
You have several ways to do it:
UI level: when the search field is focused you can say through an alert or other mechanism to notify users you are not allowed to search.
Server level: assuming your user is logged in or has an account you can verify the user in the search request and return a response where you state you cannot search without confirming your email.
Don't let them use the site after registering unless they confirm their email. You can see doing searches as data display and if you don't block that either you confuse users. Why can I see all articles but can't search?
I would go for 3. and let them use the site. They can confirm it afterwards when they try to do something which modifies the DB (aka they try to post something, then from a psychological standpoint there is a block between them and their objective and they will be more willing to confirm in order to achieve their objective)
I am building a system which serves content on external properties. I would like to track users which have not registered with my site with anonymous unique IDs. Then, if later they register with my site, I can covert them to regular Django users, but still have information related to their preferences and activities when they were anonymous.
Is there a facility to automatically set a user cookie via Django so that if they user is accepting cookies, I have a user session ID to work with?
I'd prefer not to come up with a custom solution if Django has some path to move from Anonymous to Authenticated users.
I suggest you look for sessions. They use cookies, store a unique id into a cookie which is linked to a file on your server containing their data.
https://docs.djangoproject.com/en/dev/topics/http/sessions/
I've looked for a solution to problems like this in the past. Django Lazy Signup (https://github.com/danfairs/django-lazysignup) looks like it should solve your problem and not force you to reinvent the wheel, though, fair warning I haven't personally used the project.
I'm trying to implement single sign-on using only django auth.
Let's assume two django projects, on different sub-domains: site.com(auth) and app1.site.com(app1)
The auth table in site.com is master. site.com handles: login, logout, account registration, etc.
site.com sets SESSION_COOKIE_DOMAIN to .site.com to allow it to be read by subdomains
app1 will have login_url set to a view in the app1 project, which does the following:
retrieves site.com's session_id value(from cookie)
validates session_id by making a request to: site.com/validate/[session_id]/
If False, redirects to site.com/login?next=[...]
If True, request user data to: site.com/attributes/[session_id]/
site.com/attributes/ delivers a dictionary with all the User values, encrypted using a shared SSO_KEY(encryption done the same way django encodes and decodes session_id)
Now, app1 has a model SSO_User which has two fields, a foreign key to User model and an integer field. The SSO_User models links local auth User to the id of master auth table.
Using the id retrieved from site.com, we check SSO_User for existing local user, if true we simply update the values and login; if non existing, we create the user and SSO_User and login.
app1(or any other sub-domain) can keep their own profile information, without interfering with anything.
It seems simple to implement and safe, but before implementing I wanted some opinions. What do you think?
I don't profess to be a web security expert, but I've done something similar in the past. As long as you properly set the cookie domain (which you claim to be doing) I don't really see any security issues, especially since both sites are on the same domain.
If you really want to be safe I suppose you could set up your own OAuth portal or something, but quite frankly that seems to be overkill.
I'm creating a widget that gets installed on various different sites and I need distinct users for each site. Problem is, the same person browsing might have 2 different sites open at once that use my widget. This means that I need users to be logged in with multiple accounts simultaneously to the same Django site.
From my understanding, Django usually assumes that only 1 user is logged in per session.
What's the simplest and most effective way to go about this?
I ended up storing the per-site data in the user's session, i.e. session['site_id_1'] = user_obj_1, session['site_id_2'] = user_obj_2, etc...
Instead of logging in, I just store the user data in the appropriate key. Instead of logging out, I delete the key for the site.
I think you have to rewrite the session middleware. In the default implementation the session is stored in the database, the session_key is saved in a cookie and the cookie_name is defined in settings.py.
So if you write your own session middleware, you can define different cookie names for every site and retrieve the session from the database accordingly. django.contrib.sessions.middleware.SessionMiddleware is a good template.