Re: 3-legged-OAuth Logout
That depends a lot on the ui. Facebook, for example, logs out on both sites, while Twitter doesn't. If you're worried about a security issue, have you "log out" button say something like "Log out of XXX" where xxx is your site name. Another option I've seen (when relying completely on a 3rd party log in site) was not to allow log out at all. They let the 3rd party site deal with that, and only allow "join". On Jul 26, 12:04 am, Vignesh Sunderwrote: > Thanks for the reply..But I feel this could be a security issue, > considering the fact that the user (say user1) would not be aware of > the fact that he/she has not yet been logged out of Twitter. If > another user (say user2) gets hold of the system before user1's > cookie/session gets timed out, and happens to access Twitter.com, > there is a bright chance that user1's information can get compromised. > Please correct me if I am wrong in assuming that most of the users who > browse the internet today are still 'innocent' ! -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Re: Doubt : Redirect after registration
Are you using anything not defaulted, like django-registration? In the database - is the user created and the active flag is true? On Jul 24, 2:16 pm, vaibhav agarwalwrote: > Hi, > > I am using Django 1.3. I have started building my first site in django > and it seems real fun . I am learning a lot from it . But I have a > small problem . I want to login a user after he registers and then > redirect him to the home page of the site . For this I tried , the > stuff given in the > linkhttp://stackoverflow.com/questions/3222549/how-to-automatically-login... > but it does not work for me . When I tried this , the user is directed > to the home page but since that has the login_required function , it > asks the user to manually login which I dont want . How do I rectify > this ? > > Thanks in advance for the help . > > Cheers > > Vaibhav -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
FormMixin missing method
Hi, Wanted to run this by you before I raise the suggestion in django- development: the core generic class FormMixin has some methods that allow to set a form: get_initial, get_form_kwargs and so on. However, it's missing a method to set up the instance (which has some uses) - should it be added? (implementation details are very simple but I can easily add them to the suggestion once it's done) -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Re: How to choose a license for an app or a project?
I just remembered once seeing a license generator at Binpress, maybe that can be the quick easy solution: http://www.binpress.com/license/generator On May 13, 8:06 pm, Boštjan Mejakwrote: > This is getting way out of hand. I was hoping for a simple yes/no answer. > And what I got? A bunch of yada yada. Can't you people just express yourself > by saying yes or no? Is it *that* hard? Okay now... I made a Django > application called MyWiki (yes, it's a little simple wiki application). I > don't want to disclose my source code. Now, what license would you choose? > Is MIT license okay? Also, where should I put this license? In every module > I have? In a file called license.txt and put it into the root dir? Please > tell me. Simple English only. I am not so sharp so please keep that in mind > when answering. Thank you. -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Django form's widget input format
Some form widgets, namely DateInput and DateTimeInput, check data change using a pre-set format to know if the data on the field was change. Today many front end developers dynamically change the format for those types of input (and other localizations) on the client side after the form is rendered since the browser itself support that. Is they a way around it today in Django, or do we need to develop a more dynamic format conversation? -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Re: About using Django Auth with my app, Auto saving the User
If instead of printing "not valid" you'll print the form itself with the errors (as described here for example: http://docs.djangoproject.com/en/dev/topics/forms/#customizing-the-form-template) you would see what the errors are. Alternatively, read about form validation (http://docs.djangoproject.com/en/dev/ref/forms/ validation/) and try to understand why it's failing.. On Mar 20, 8:05 pm, AJwrote: > No, the form submits, with other values too, to the view but it just > does not validate. > > AJ -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Re: how to get csrf cookie in ajax app
If your file is completely static (even coming from a cache server) then there's no way of getting the csrf, since the whole point of the csrf is that it's dynamic (otherwise it can be copied). You can do a one time "warmup" if the cookie is not present on your client to "get_data" from the server and initialize the cookie, or go without csrf as suggested.. On Mar 22, 12:35 am, Brian Craftwrote: > No, it's not. It's a static file. > > On Mon, Mar 21, 2011 at 10:23 AM, Matt Robenolt > > > > > > > > wrote: > > Is your main view being rendered by Django or something else? If so, you'll > > have access to the cookie. > > > On Mar 21, 2011, at 1:09 PM, Brian Craft wrote: > > >> It's in a cookie once you coerce django into sending the cookie to the > >> browser. This is less automatic for ajax apps, because django isn't > >> serving the forms (which is when it usually sends the csrf cookie). > > >> On Mon, Mar 21, 2011 at 9:49 AM, Matt Robenolt > >> wrote: > >>> To get the token? It's stored in a cookie. You can read that in Javascript > >>> with document.cookie, then parse the cookie string to retrieve the > >>> relevant > >>> part. > > >>> -- > >>> You received this message because you are subscribed to the Google Groups > >>> "Django users" group. > >>> To post to this group, send email to django-users@googlegroups.com. > >>> To unsubscribe from this group, send email to > >>> django-users+unsubscr...@googlegroups.com. > >>> For more options, visit this group at > >>>http://groups.google.com/group/django-users?hl=en. > > >> -- > >> You received this message because you are subscribed to the Google Groups > >> "Django users" group. > >> To post to this group, send email to django-users@googlegroups.com. > >> To unsubscribe from this group, send email to > >> django-users+unsubscr...@googlegroups.com. > >> For more options, visit this group > >> athttp://groups.google.com/group/django-users?hl=en. > > > -- > > You received this message because you are subscribed to the Google Groups > > "Django users" group. > > To post to this group, send email to django-users@googlegroups.com. > > To unsubscribe from this group, send email to > > django-users+unsubscr...@googlegroups.com. > > For more options, visit this group > > athttp://groups.google.com/group/django-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Determining Django model instance types after a query on a base class
I'm having the same issue described in some places around the web and also here: http://stackoverflow.com/questions/5225556/determining-django-model-instance-types-after-a-query-on-a-base-class In essence, I have these definitions: class Animal(models.Model): name= models.CharField(max_length=128) def hello(self): print "Hello animal" class Person(Animal): pants_size = models.IntegerField(null=True) def hello(self): print "Hello Mr" class Dog(Animal): panting_rate = models.IntegerField(null=True) def hello(self): print "Woof" And create these instances... Person(name='Dave').save() Dog(name='Mr. Rufflesworth').save() I do a Animal.objects.all(), and would like to run a method (.hello) on what I received. A virtual method on the base class doesn't act as expected and returns "Hello Animal" all the time. I've seen the answers above and wondering if this is the right way to go. I've noticed the returned instance has .dog attribute that doesn't exists if this is a person or an animal, and a .person attribute that doesn't exist if this is a dog or an animal. Wouldn't going: hasattr(result,'dog') be cheaper (no db access)? -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Re: Extending admin index.html
Thanks Thomas, These two solutions look interesting, but they are a lot more than I required :) I also think that a recommendation to copy a file and override it is wrong - it kills future compatibility, regardless of how this would really be solved.. Let's wait a few days and if not answer is accepted, raise it at dev list. On Mar 12, 5:24 pm, Thomas Weholt <thomas.weh...@gmail.com> wrote: > I`ve asked the same question just a few days ago with little or no > luck. You`ll probably get somebody who recommends Grappelli > (http://code.google.com/p/django-grappelli/wiki/Grappelli_2) > and/orhttp://pypi.python.org/pypi/django-admin-toolsand they might be what > you`re looking for, but I`ve tried them both and still want to now how > to implement/override both the admin/index-template and the related > view. > > Any information you might have related to this is very interesting. > Please post a reply to this thread. > > Regards, > Thomas > > > > > > > > > > On Sat, Mar 12, 2011 at 4:14 PM, Lior Sion <lior.s...@gmail.com> wrote: > > Hi, > > > Is there an easy way I'm missing to EXTEND the admin site's index.html > > without copying the file and altering it, which kinda sounds like the > > wrong solution? > > > Basically, I live with the current template well enough and want to > > get updates with new versions of django, but I would like, for > > example, to add an upper, lower, or side sections.. would it make > > sense to add a {% block %} in those places? > > > -- > > You received this message because you are subscribed to the Google Groups > > "Django users" group. > > To post to this group, send email to django-users@googlegroups.com. > > To unsubscribe from this group, send email to > > django-users+unsubscr...@googlegroups.com. > > For more options, visit this group > > athttp://groups.google.com/group/django-users?hl=en. > > -- > Mvh/Best regards, > Thomas Weholthttp://www.weholt.org -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Extending admin index.html
Hi, Is there an easy way I'm missing to EXTEND the admin site's index.html without copying the file and altering it, which kinda sounds like the wrong solution? Basically, I live with the current template well enough and want to get updates with new versions of django, but I would like, for example, to add an upper, lower, or side sections.. would it make sense to add a {% block %} in those places? -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Re: testing foo_set existence for each object in a queryset
Dan, If I understand your question correctly, you are struggling with creating the filtering you wrote in your message on the queryset level (without going to the db for each object), right? Hard to say without actually seeing your code and testing, but would this be the same? MyModel.objects.filter(foo_set__endtime__gt == datetime.datetime.now()) I don't think you'll need the exists, as only existing objects will come back from the query. On Feb 20, 3:50 am, Danwrote: > Hi, > > Long time lurker - first time poster - hopefully future answerer... > > Basically what I want to do can be done with: > > result = [w for w in MyModel.objects.all() if > w.foo_set.filter(endtime__gt = datetime.datetime.now()).exists()] > > Is there anyway to do this using the queryset api? > > Hopefully it's not too stupid a question... -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
unique_together validation passes on model forms that exclude unique fields
Hi, I have a model with a unique_together field set. I also have a form for that model that excludes one field - but I still need the uniqueness to stay. Example: class A(models.Model): name = models.CharField(max_length=30) friend = models.ForeignKey(Friend) and the form: class AForm(ModelForm): class Meta: model = Event fields = ('name') that is, someone editing A can change the name, but they can't get to a case that one friend have the same A's name. >From what I gather, the is_valid passes since I excluded friend from the form, but that's exactly the case I want.. it also makes sense. Do you agree with opening a ticket? What do you think? -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Re: csrf cookie security
It's been a while since I dealt with those things, but what about this scenario: The attacker detects the CSRF code using an attack resembling the scenario here: http://wiki.developerforce.com/index.php/Secure_Coding_Secure_Communications#Secure_Communications_and_Cookies [to save some time, this is the quote: Failure to set the Secure flag for security-critical cookies is the most common vulnerability in this category. Simply setting a cookie over an HTTPS connection does not prevent it from being returned over HTTP unless the Secure flag is set. Even if your site does not have an HTTP version, malicious parties on the network may be able to steal session cookies. There are several ways to achieve this. For example, the attacker may insert references to HTTP URLs to your application into sites that your users are likely to visit. Assume your application is https://app.example.com, and your users frequent a discussion forum/blog at http://exampleappblog.com. ExampleAppBlog allows commenters to include limited HTML in their posts, including img tags. A commenter inserts HTML into one of their comments like the following: http://app.example.com/example-logo.png; class="external free" title="http://app.example.com/example-logo.png; rel="nofollow">http://app.example.com/example-logo.png" /> When a user authenticated to app.example.com views this comment, their browser will fire off a request for example-logo.png over an insecure HTTP connection. Since the app.example.com cookie was not set Secure, the browser will include the cookie over this connection — exposing it to the network. ] Once they have the CSRF cookie, they use the site itself (example.com) and post malicious code there with the right CSRF. I agree it's not an easy attack, but why not turning on the secured flag for cookies on https? On Feb 10, 9:28 am, Ian Clellandwrote: > On Wed, Feb 9, 2011 at 11:51 AM, Brian Craft wrote: > > I thought, rather, that the csrf token was a cookie that was put in a > > hidden form field. > > You're absolutely right; I wasn't thinking about that side of the token. > > > With firebug or webkit dev tools you can see the django csrf token in > > the cookies. I would also refer you to middleware/csrf.py, where you > > can see it doing the set_cookie. > > > I thought the security of the csrf token relied on the fact that the > > 3rd party wouldn't know what value to put in the hidden form field. > > The csrf middleware is, I believe, validating the value in the form > > field, against the value in cookie. But when it creates the form, it > > uses the value in the cookie. > > > If the token is stored in an insecure cookie, it can be sniffed. Then > > I don't understand what prevents the attacker from constructing a > > valid form. > > If you want a secure cookie, that means that your entire site (or at > least the form-handling bits) must already be protected by SSL (since > a secure cookie will only be returned over an SSL connection). > > The threat model you are proposing, then, sounds like this: There is a > website, running Django, using Django's CSRF protection, in which all > of the form-handling views are only accessible over HTTPS, but there > are other resources in the same domain (or its subdomains) which are > accessible over HTTP. > > Further, there is an attacker, who can sniff the unencrypted HTTP > traffic, and can construct an HTML page at a different site (this is > Cross-Site Request Forgery, after all) > > A lot of the potential damage seems to be mitigated by another check > in django/middleware/csrf.py, for HTTPS requests only, that inpects > the referer header of the incoming request, to ensure that the browser > was not submitting the form from a different site. To get around that, > the attacker would have to be able to construct a form on the > SSL-protected site (a serious html-injection vulnerability would have > to be present), or cause the request to be submitted over plain HTTP > -- but the site is already HTTPS-only, so there shouldn't be any > form-handling code listening on that port. > > Does this threat model correspond to what you're thinking? If so, I > don't see away around the CSRF protection (at least, not one that > involves the victim's browser) > > -- > Regards, > Ian Clelland > -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.