I'm trying to make a website that requires users to enter information about themselves. In order to check to see if this information is correct, it needs to enter the information on another website (that has an entire database of these types of users). It will then return the results found. How do I do such a thing? Where do I start? I tried googling but I couldn't even think of what this would be called?
Not really sure what you're looking to do as it doesn't make much sense. But you need to validate data provided by users on your site against data available in another database that isn't accessible to your app.
This means you need to send the data your users are providing to you to the other service that is providing the validation. Perhaps this other service provides an API to do this, perhaps it just provides a form you can post the data to (with python urllib2).
Without have a lot more information on what you're looking to do I can't even venture to guess whether either of these two things are feasible.
Related
I'm building a simple crud app in Django which is basically enhanced reporting for commerce related software. So I pull information on behalf of a user from another software's API, do a bunch of aggregation/calculations on the data, and then display a report to the user.
I'm having a hard time figuring out how to make this all happen quickly. While I'm certain there are optimizations that can be made in my Python code, I'd like to find some way to be able to make multiple calculations on reasonably large sets of objects without making the user wait like 10 seconds.
The problem is that the data can change in a given moment. If the user makes changes to their data in the other software, there is no way for me to know that without hitting the API again for that info. So I don't see a way that I can cache information or pre-fetch it without making a ridiculous number of requests to the API.
In a perfect world the API would have webhooks I could use to watch for data changes but that's not an option.
Is my best bet to just optimize the factors I control to the best of my ability and hope my users can live with it?
Let's say I am creating a python-based CMS on GAE (similar to Squarespace/Shopify) which allows users to create a website.
The platform will (automatically?) create a subdomain for each new user and duplicates the application.
Now there are two options:
1) Create a new Database for the new user, WITHIN the master GAE project. (I'm worried that if one user gets a lot of traffic it might slow down ALL websites.)
2) Duplicate the entire project. (This method seems difficult to accomplish because either I have to manually create an instance of the application for each user, or I have to figure out how to hijack gcloud.py (or appcfg.py) somehow and store my login credentials in the code.)
Which choice will most likely provide the most performance for the price? Is choice 2 allowed by Google (or even possible)?
Edit:
I've done some more research about this, and it's not documented very much. I found this in the docs https://cloud.google.com/sdk/docs/scripting-gcloud which talks about running gcloud from scripts, although I don't think that means from python. I am looking into appengine-jenkins to see if it will work for my purpose. Let me know if you have any additional information about this.
Also, it seems like gcloud is adding a create command within the projects command which might be useful for me if I can figure out how to run gcloud from my script. https://cloud.google.com/sdk/gcloud/reference/alpha/projects/create
I want to make a django site which has no profile authentication or signing in. Anonymous users will be able to make a form that will be potentially open to anyone else on the site.
I'd like to do two things:
Somehow limit access to this form to certain people, without on site profiles. Maybe passwords/encryption keys distributed by email? Or secret one-time links using random URL's to make finding them/crawling them difficult, only accessible to those who know about them?
A way that the user who created the form can delete the form. Again, perhaps email a secret password upon creation to whoever created the form, which can let them delete the form?
Are there any Django plug-ins I should look into, or does anyone have tips about how I should go about this? I'm interested in the shareasecret site, and aspects of security in one time links without profile authentication, however, I'm not sure of best practices and ways to go about this sort of thing.
There is no best practice nor a plugin for this use case. It is a common-or-garden, simple use case which should not demand that much of code and logic that you look for some plugin or best practice. Just draw the picture you imagine, sit and write your code. if you have any exact problems in your code, then ask a question.
Given the specific site you're trying to recreate has an api, it would appear that the details aren't matched against the user, but the post itself. so simply make a model that has the two things that it requires
Query Params
SECRET_KEY: the unique key for this secret.
passphrase (if required): the passphrase is required only if the secret was create with one.
So either I'd suggest use the same method yourself, or just use their api.
It seems like the security model fits very small projects, but that it is probably not feasible to write all possible registered users' hashed passwords in security.py. Do you know any examples of scaling up Pyramid's authentication, or are there any benefits to calling through Pyramid's security scheme into my own database of security information?
I dont think the size of the project is related to the security model. Either you want a simple or a complex security model. Both can be applied to projects of any size. One of Pyramid's strong points is its extensibility.
Why would you store hashed passwords in security.py? (cmiiw here, I probably misunderstood) If you read this on someone's code, that's probably just an example. In real apps, you save them in a storage/persistence system of your choice.
Again, I don't understand what you mean by "scaling up authentication". My guess is you want some working examples:
tutorial from the docs
shootout application: small and good example with forms
pyramid auth demo: complex/granular/row-level permission
pyramid apex: 3rd party auth (google, twitter, etc) with velruse, forms etc
pyramid registration: unfinished library; you can steal some ideas from it
No idea what your needs are or what you mean by "scaling up security", but pyramids authentication policy is very flexible. You need to understand though that it doesn't maintain users and passwords it merely provides a mechanism for obtaining a user identifier from the incoming request. For example, the AuthTktAuthenticationPolicy keeps track of the user id by cookie that you set using the remember method.
What meaningful information you derive from that user id is totally up to you and is application specific.
So really the question you may want to ask is can your application "scale up security".
I can't show you code because it's proprietary but I've needed to support openid, http auth and your typical db backed user store on the same application, with the extra added complication that users are stored in different database shards and the shard can't be immediately determined. It takes very little code to support this.
I ended up building something for myself that makes authentication a little easier if you happen to be using MongoDB.
https://github.com/mosesn/mongauth
It isn't built into pyramid, but hooks in easily enough. Everything is pretty transparent.
I am building a website for a comedy group which uses Facebook as one of their marketing platforms; one of the requirements for the new site is to display all of their Facebook events on a calendar.
Currently, I am just trying to put together a Python script which can pull some data from my own Facebook account, like a list of all my friends. I presume once I can accomplish this I can move to pulling more complicated data out of my clients account (since they have given me access to their account).
I have looked at many of the posts here, and also went through the Facebook API documentation, including Facebook Connect, but am really beating my head against the wall. Everything I have read seems like overkill, as it involves setting up a good deal of infrastructure to allow my app to set up connections to any arbitrary user's account (who authorizes me). Shouldn't it be much simpler, given I only ever need to access 1 account?
I cannot find a way to retrieve data without having to display the Facebook login window. I have a script which will retrieve all my friends, but it includes a redirect where I have to physically log myself in to Facebook.
Would appreciate any advice or links, I just feel like I must be missing something simple.
Thank you!
Just posting up my notes on the successful advice, should others find this post;
Per Daniel and William's advice, I obtained the right permissions using the Connect options. From William, this link explains how the Facebook connection works
https://developers.facebook.com/docs/authentication/
This section on setting up the actual authentication was most helpful to me.
http://developers.facebook.com/docs/api
Basically, it goes as follows:
Post a link to the following URL. A user will need to physically click on it (even if that user is just you, the site admin).
https://graph.facebook.com/oauth/authorize?client_id=YOUR_CLIENT_ID&redirect_uri=http://www.example.com/HANDLER
This will redirect to a Facebook login, which will return to http://www.example.com/HANDLER after the user authenticates. If you wish to do more than basic reads and news feed updates you will need to include this variable in the above link: scope=offline_access,user_photos. The scope variable just includes a comma separated list of values, which Facebook will explicitly tell the authenticating user about during the login process, and they will have to OK. Most helpful for me was the offline_access flag (user_photos lets you get at their photos too), so I can pull content without someone logging in regularly (so long as I store the access token obtained later)
Have a script located at http://www.example.com/HANDLER that will take a variable from the request (so facebook will redirect to http://www.example.com/HANDLER&code=YOUR_CODE after authentication). Your handler needs to pull out the code variable, and then send the following request:
https://graph.facebook.com/oauth/access_token?
client_id=YOUR_CLIENT_ID&
redirect_uri=http://www.example.com/oauth_redirect&
client_secret=YOUR_SECRET_KEY&
code=YOUR_CODE
This request will return a string of the form access_token=YOUR_ACCESS_TOKEN.
Just parse off the 'access_token=', and you will have a token that you can use to access the facebook graph API, in requests like
http://graph.facebook.com/me/friends?access_token=YOUR_ACCESS_TOKEN
This will return a JSON object containing all of your friends
Hope this saves someone else some not fun time straining through documentation. Thanks for the help!
It is true, that Facebook's API is targeted at developers who are creating apps that will be used by many users.
Thankfully, the new Graph API is much simpler to use than its predecessor, and shouldn't be terribly difficult for you to work with without using or creating a lot of underlying infrastructure.
You will need to implement authorization, but this is not difficult, and as long as you prompt the user for the offline_access permission, it'll only need to be done once.
The documentation on Desktop Authentication would probably be most relevant to you at this point, though you might want to move to the javascript-based authentication once you've got a web app up and running.
Once the authentication is done, all you're doing is making GET requests to various urls and working with the resulting JSON.
Here's the documentation about Events, and you can get a list of friends from the friends connection of a User.
I'm not expert on Facebook/Facebook Connect, however I've seen it used/used applications with it and it seems there's really only the 'official' way to do it. I'm afraid it looks like your best bet would probably be something along the lines of this.
http://wiki.developers.facebook.com/index.php/Connect/Authentication_and_Authorization
Regardless of how you actually 'use' it, you'll still need to authorize the application to connect to the account and this means having a Facebook App as well.
The answer to Facebook application authentication is hard to find but is actually found within the "Analytics" page of the Graph API.
Specify the following: https://graph.facebook.com/oauth/access_token?client_cred&client_id=yourappid&client_secret=yourappsecret , you will then be given an access_token that you may use on all other calls.
The Facebook provided APIs do NOT currently provide this level of functionality.