I am building a system which serves content on external properties. I would like to track users which have not registered with my site with anonymous unique IDs. Then, if later they register with my site, I can covert them to regular Django users, but still have information related to their preferences and activities when they were anonymous.
Is there a facility to automatically set a user cookie via Django so that if they user is accepting cookies, I have a user session ID to work with?
I'd prefer not to come up with a custom solution if Django has some path to move from Anonymous to Authenticated users.
I suggest you look for sessions. They use cookies, store a unique id into a cookie which is linked to a file on your server containing their data.
https://docs.djangoproject.com/en/dev/topics/http/sessions/
I've looked for a solution to problems like this in the past. Django Lazy Signup (https://github.com/danfairs/django-lazysignup) looks like it should solve your problem and not force you to reinvent the wheel, though, fair warning I haven't personally used the project.
Related
I'm working on a question and answer system with django. my problem : I want the app to get a question from an ontology and according the user's answer get the next question. how can I have all the questions and user's answers displayed. i'm new to django, I don't know if I can use session with unauthenticated user and if I need to use websocket with the django channels library.
Given that you want to work with anonymous users the simplest way to go is to add a hidden field on the page and use it to track the user progress. The field can contain virtual session id that will point at a model record in the backend, or the entire Q/A session(ugly but fast and easy). Using REST or sockets would require similar approach.
I can't tell from the top of my mind if you can step on top of the built in session system. It will work for registered users, but I do believe that for anonymous users it gets reset on refresh(may be wrong here).
Currently I implemented a login routine for the website I am working on, according to This Tutorial.
Also I am not authenticating the user with djangos own system, because I am using authentication against the LDAP of my company (django-auth-ldap).
Currently I am using a general user to login to the database, which has universal access to all data, which also gives full access to any user logging in to the website.
To avoid that I would like to know how I can connect to the database as the individual user, who just logged in to the website.
Thanks in advance and sorry for bad english
Restricting user access to functionality and authenticating with the DB are handled separately in Django. You might be able to read the privileges of your users from the DB and map them to Django permissions but this is non-trivial (about Permissions see https://docs.djangoproject.com/en/2.1/topics/auth/default/#permissions-and-authorization).
In a UI/UX that has functionalities restricted depending on authorization, the frontend and backend need to be aware that permissions need to be checked and missing authorization needs to be communicated in some way or other to the user.
Example:
Users in group A are allowed to delete X. They see the "delete" button and there might also be an AJAX call that can delete X.
Users in group B are not allowed to delete X. They do not see the delete button and the AJAX call that can delete X needs to check for that permission and/or user group membership.
If you are only using a DB level authorization layer than - how would you know if the "delete" button should be displayed and for what to check in the AJAX call?
hi!
If I'm getting your problem correctly, the user you are creating is a Super User every time right?
Well if you are using Django auth.User model, you can just make User_object.is_super to False and then restrict the access of users though if-else in view! (User_object is the object of the auth.User model)
Does that made any sense?
//BTW, a side-note, a mistake I made while making my first custom user model: make sure to store your passwords hashed using Django hashes and salts!
When a user login your system,he wants to edit his personal information which is on the other page.I put a hyperlink named edit on logined.html,but how can I pass the user's id to edit.html?
I am using python's web.py web framework.Please help me.Many thanks!
There are multiple ways to do this. The usual way is to have all user data in server-side session store, and only give the client-side the session ID instead of user ID and similar sensitive information.
Your form would work without the user information, and then when you are handling the submitted data, you retrieve the user information from the session and basically assume that the user submitted it. There are ways to make this assumption safer by using CSRF protection, etc.
More on sessions in web.py: http://webpy.org/sessions/
More on CSRF protection: http://webpy.org/cookbook/csrf
I'm creating a widget that gets installed on various different sites and I need distinct users for each site. Problem is, the same person browsing might have 2 different sites open at once that use my widget. This means that I need users to be logged in with multiple accounts simultaneously to the same Django site.
From my understanding, Django usually assumes that only 1 user is logged in per session.
What's the simplest and most effective way to go about this?
I ended up storing the per-site data in the user's session, i.e. session['site_id_1'] = user_obj_1, session['site_id_2'] = user_obj_2, etc...
Instead of logging in, I just store the user data in the appropriate key. Instead of logging out, I delete the key for the site.
I think you have to rewrite the session middleware. In the default implementation the session is stored in the database, the session_key is saved in a cookie and the cookie_name is defined in settings.py.
So if you write your own session middleware, you can define different cookie names for every site and retrieve the session from the database accordingly. django.contrib.sessions.middleware.SessionMiddleware is a good template.
What are the pros and cons of using open id vs auth? Shoud I do both?
That depends whether you want to support Open ID. As to the reasons behind Open ID, in my view the most compelling one is that it avoids requiring your users to have an account just for your site, with all the hassle that involves (yet another username and password to remember).
If you decide you want to use Open ID, there's not need to choose between that and auth - use django-openid-auth, which adds Open ID support to the auth framework.
Definitely try and avoid using an Open ID implementation that doesn't plug into Django's auth framework - you'll lose a lot of the baked-in goodness of Django (model-level permissions etc).
OpenID and OAuth do different things. OpenID lets users log into your site. OAuth lets people give your site access to their data elsewhere. On the other side of the coin, OAuth gives you a secure way to let users access their data in your service from elsewhere.
If you implement OpenID, don't implement an OpenID producer. Everyone's already got an OpenID, whether they know it or not. Just consume openids from elsewhere. Migrating OpenIDs shouldn't be hard. Just make sure that a user account can connect via multiple OIDs, then they can add new ones as needed, and remove when they're done with them.
Edit: Just saw that you were talking about django auth, not oauth. Oops. The second paragraph still stands.