Re: 3-legged-OAuth Logout

2011-07-26 Thread Lior Sion 
That depends a lot on the ui. Facebook, for example, logs out on both
sites, while Twitter doesn't. If you're worried about a security
issue, have you "log out" button say something like "Log out of XXX"
where xxx is your site name.

Another option I've seen (when relying completely on a 3rd party log
in site) was not to allow log out at all. They let the 3rd party site
deal with that, and only allow "join".

On Jul 26, 12:04 am, Vignesh Sunder  wrote:
> Thanks for the reply..But I feel this could be a security issue,
> considering the fact that the user (say user1) would not be aware of
> the fact that he/she has not yet been logged out of Twitter. If
> another user (say user2) gets hold of the system before user1's
> cookie/session gets timed out, and happens to access Twitter.com,
> there is a bright chance that user1's information can get compromised.
> Please correct me if I am wrong in assuming that most of the users who
> browse the internet today are still 'innocent' !

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Re: Doubt : Redirect after registration

2011-07-26 Thread Lior Sion 
Are you using anything not defaulted, like django-registration? In the
database - is the user created and the active flag is true?

On Jul 24, 2:16 pm, vaibhav agarwal  wrote:
> Hi,
>
> I am using Django 1.3. I have started building my first site in django
> and it seems real fun . I am learning a lot from it . But I have a
> small problem . I want to login a user after he registers and then
> redirect him to the home page of the site . For this I tried , the
> stuff given in the 
> linkhttp://stackoverflow.com/questions/3222549/how-to-automatically-login...
> but it does not work for me . When I tried this , the user is directed
> to the home page but since that has the login_required function , it
> asks the user to manually login which I dont want . How do I rectify
> this ?
>
> Thanks in advance for the help .
>
> Cheers
>
> Vaibhav

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

FormMixin missing method

2011-07-09 Thread Lior Sion 
Hi,

Wanted to run this by you before I raise the suggestion in django-
development: the core generic class FormMixin has some methods that
allow to set a form: get_initial, get_form_kwargs and so on. However,
it's missing a method to set up the instance (which has some uses) -
should it be added?

(implementation details are very simple but I can easily add them to
the suggestion once it's done)

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Re: How to choose a license for an app or a project?

2011-05-13 Thread Lior Sion 
I just remembered once seeing a license generator at Binpress, maybe
that can be the quick easy solution:

http://www.binpress.com/license/generator

On May 13, 8:06 pm, Boštjan Mejak  wrote:
> This is getting way out of hand. I was hoping for a simple yes/no answer.
> And what I got? A bunch of yada yada. Can't you people just express yourself
> by saying yes or no? Is it *that* hard? Okay now... I made a Django
> application called MyWiki (yes, it's a little simple wiki application). I
> don't want to disclose my source code. Now, what license would you choose?
> Is MIT license okay? Also, where should I put this license? In every module
> I have? In a file called license.txt and put it into the root dir? Please
> tell me. Simple English only. I am not so sharp so please keep that in mind
> when answering. Thank you.

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Django form's widget input format

2011-03-23 Thread Lior Sion 
Some form widgets, namely DateInput and DateTimeInput, check data
change using a pre-set format to know if the data on the field was
change.

Today many front end developers dynamically change the format for
those types of input (and other localizations) on the client side
after the form is rendered since the browser itself support that.

Is they a way around it today in Django, or do we need to develop a
more dynamic format conversation?

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Re: About using Django Auth with my app, Auto saving the User

2011-03-21 Thread Lior Sion 
If instead of printing "not valid" you'll print the form itself with
the errors (as described here for example:
http://docs.djangoproject.com/en/dev/topics/forms/#customizing-the-form-template)
you would see what the errors are. Alternatively, read about form
validation (http://docs.djangoproject.com/en/dev/ref/forms/
validation/) and try to understand why it's failing..

On Mar 20, 8:05 pm, AJ  wrote:
> No, the form submits, with other values too, to the view but it just
> does not validate.
>
> AJ

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Re: how to get csrf cookie in ajax app

2011-03-21 Thread Lior Sion 
If your file is completely static (even coming from a cache server)
then there's no way of getting the csrf, since the whole point of the
csrf is that it's dynamic (otherwise it can be copied).

You can do a one time "warmup" if the cookie is not present on your
client to "get_data" from the server and initialize the cookie, or go
without csrf as suggested..

On Mar 22, 12:35 am, Brian Craft  wrote:
> No, it's not. It's a static file.
>
> On Mon, Mar 21, 2011 at 10:23 AM, Matt Robenolt
>
>
>
>
>
>
>
>  wrote:
> > Is your main view being rendered by Django or something else? If so, you'll 
> > have access to the cookie.
>
> > On Mar 21, 2011, at 1:09 PM, Brian Craft wrote:
>
> >> It's in a cookie once you coerce django into sending the cookie to the
> >> browser. This is less automatic for ajax apps, because django isn't
> >> serving the forms (which is when it usually sends the csrf cookie).
>
> >> On Mon, Mar 21, 2011 at 9:49 AM, Matt Robenolt
> >>  wrote:
> >>> To get the token? It's stored in a cookie. You can read that in Javascript
> >>> with document.cookie, then parse the cookie string to retrieve the 
> >>> relevant
> >>> part.
>
> >>> --
> >>> You received this message because you are subscribed to the Google Groups
> >>> "Django users" group.
> >>> To post to this group, send email to django-users@googlegroups.com.
> >>> To unsubscribe from this group, send email to
> >>> django-users+unsubscr...@googlegroups.com.
> >>> For more options, visit this group at
> >>>http://groups.google.com/group/django-users?hl=en.
>
> >> --
> >> You received this message because you are subscribed to the Google Groups 
> >> "Django users" group.
> >> To post to this group, send email to django-users@googlegroups.com.
> >> To unsubscribe from this group, send email to 
> >> django-users+unsubscr...@googlegroups.com.
> >> For more options, visit this group 
> >> athttp://groups.google.com/group/django-users?hl=en.
>
> > --
> > You received this message because you are subscribed to the Google Groups 
> > "Django users" group.
> > To post to this group, send email to django-users@googlegroups.com.
> > To unsubscribe from this group, send email to 
> > django-users+unsubscr...@googlegroups.com.
> > For more options, visit this group 
> > athttp://groups.google.com/group/django-users?hl=en.

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Determining Django model instance types after a query on a base class

2011-03-15 Thread Lior Sion 
I'm having the same issue described in some places around the web and
also here:

http://stackoverflow.com/questions/5225556/determining-django-model-instance-types-after-a-query-on-a-base-class

In essence, I have these definitions:

class Animal(models.Model):
name= models.CharField(max_length=128)

def hello(self):
   print "Hello animal"

class Person(Animal):
pants_size = models.IntegerField(null=True)

def hello(self):
   print "Hello Mr"

class Dog(Animal):
panting_rate = models.IntegerField(null=True)

def hello(self):
   print  "Woof"

And create these instances...

Person(name='Dave').save()
Dog(name='Mr. Rufflesworth').save()

I do a Animal.objects.all(), and would like to run a method (.hello)
on what I received. A virtual method on the base class doesn't act as
expected and returns "Hello Animal" all the time.

I've seen the answers above and wondering if this is the right way to
go. I've noticed the returned instance has .dog attribute that doesn't
exists if this is a person or an animal, and a .person attribute that
doesn't exist if this is a dog or an animal.

Wouldn't going:

hasattr(result,'dog')

be cheaper (no db access)?

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Re: Extending admin index.html

2011-03-12 Thread Lior Sion 
Thanks Thomas,

These two solutions look interesting, but they are a lot more than I
required :)

I also think that a recommendation to copy a file and override it is
wrong - it kills future compatibility, regardless of how this would
really be solved..

Let's wait a few days and if not answer is accepted, raise it at dev
list.

On Mar 12, 5:24 pm, Thomas Weholt <thomas.weh...@gmail.com> wrote:
> I`ve asked the same question just a few days ago with little or no
> luck. You`ll probably get somebody who recommends Grappelli 
> (http://code.google.com/p/django-grappelli/wiki/Grappelli_2) 
> and/orhttp://pypi.python.org/pypi/django-admin-toolsand they might be what
> you`re looking for, but I`ve tried them both and still want to now how
> to implement/override both the admin/index-template and the related
> view.
>
> Any information you might have related to this is very interesting.
> Please post a reply to this thread.
>
> Regards,
> Thomas
>
>
>
>
>
>
>
>
>
> On Sat, Mar 12, 2011 at 4:14 PM, Lior Sion <lior.s...@gmail.com> wrote:
> > Hi,
>
> > Is there an easy way I'm missing to EXTEND the admin site's index.html
> > without copying the file and altering it, which kinda sounds like the
> > wrong solution?
>
> > Basically, I live with the current template well enough and want to
> > get updates with new versions of django, but I would like, for
> > example, to add an upper, lower, or side sections.. would it make
> > sense to add a {% block %} in those places?
>
> > --
> > You received this message because you are subscribed to the Google Groups 
> > "Django users" group.
> > To post to this group, send email to django-users@googlegroups.com.
> > To unsubscribe from this group, send email to 
> > django-users+unsubscr...@googlegroups.com.
> > For more options, visit this group 
> > athttp://groups.google.com/group/django-users?hl=en.
>
> --
> Mvh/Best regards,
> Thomas Weholthttp://www.weholt.org

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Extending admin index.html

2011-03-12 Thread Lior Sion 
Hi,

Is there an easy way I'm missing to EXTEND the admin site's index.html
without copying the file and altering it, which kinda sounds like the
wrong solution?

Basically, I live with the current template well enough and want to
get updates with new versions of django, but I would like, for
example, to add an upper, lower, or side sections.. would it make
sense to add a {% block %} in those places?

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Re: testing foo_set existence for each object in a queryset

2011-02-19 Thread Lior Sion 
Dan,

If I understand your question correctly, you are struggling with
creating the filtering you wrote in your message on the queryset level
(without going to the db for each object), right?

Hard to say without actually seeing your code and testing, but would
this be the same?

MyModel.objects.filter(foo_set__endtime__gt ==
datetime.datetime.now())

I don't think you'll need the exists, as only existing objects will
come back from the query.

On Feb 20, 3:50 am, Dan  wrote:
> Hi,
>
> Long time lurker - first time poster - hopefully future answerer...
>
> Basically what I want to do can be done with:
>
> result = [w for w in MyModel.objects.all() if
> w.foo_set.filter(endtime__gt = datetime.datetime.now()).exists()]
>
> Is there anyway to do this using the queryset api?
>
> Hopefully it's not too stupid a question...

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

unique_together validation passes on model forms that exclude unique fields

2011-02-16 Thread Lior Sion 
Hi,

I have a model with a unique_together field set. I also have a form
for that model that excludes one field - but I still need the
uniqueness to stay.

Example:

class A(models.Model):
name  = models.CharField(max_length=30)
friend = models.ForeignKey(Friend)

and the form:

class AForm(ModelForm):
class Meta:
model = Event
fields = ('name')

that is, someone editing A can change the name, but they can't get to
a case that one friend have the same A's name.

>From what I gather, the is_valid passes since I excluded friend from
the form, but that's exactly the case I want.. it also makes sense.

Do you agree with opening a ticket? What do you think?

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Re: csrf cookie security

2011-02-10 Thread Lior Sion 
It's been a while since I dealt with those things, but what about this
scenario:

The attacker detects the CSRF code using an attack resembling the
scenario here:

http://wiki.developerforce.com/index.php/Secure_Coding_Secure_Communications#Secure_Communications_and_Cookies

[to save some time, this is the quote:

Failure to set the Secure flag for security-critical cookies is the
most common vulnerability in this category. Simply setting a cookie
over an HTTPS connection does not prevent it from being returned over
HTTP unless the Secure flag is set. Even if your site does not have an
HTTP version, malicious parties on the network may be able to steal
session cookies.

There are several ways to achieve this. For example, the attacker may
insert references to HTTP URLs to your application into sites that
your users are likely to visit. Assume your application is 
https://app.example.com,
and your users frequent a discussion forum/blog at http://exampleappblog.com.
ExampleAppBlog allows commenters to include limited HTML in their
posts, including img tags. A commenter inserts HTML into one of their
comments like the following:

http://app.example.com/example-logo.png;
class="external free" title="http://app.example.com/example-logo.png;
rel="nofollow">http://app.example.com/example-logo.png" />
When a user authenticated to app.example.com views this comment, their
browser will fire off a request for example-logo.png over an insecure
HTTP connection. Since the app.example.com cookie was not set Secure,
the browser will include the cookie over this connection — exposing it
to the network.

]

Once they have the CSRF cookie, they use the site itself (example.com)
and post malicious code there with the right CSRF.

I agree it's not an easy attack, but why not turning on the secured
flag for cookies on https?




On Feb 10, 9:28 am, Ian Clelland  wrote:
> On Wed, Feb 9, 2011 at 11:51 AM, Brian Craft  wrote:
> > I thought, rather, that the csrf token was a cookie that was put in a
> > hidden form field.
>
> You're absolutely right; I wasn't thinking about that side of the token.
>
> > With firebug or webkit dev tools you can see the django csrf token in
> > the cookies. I would also refer you to middleware/csrf.py, where you
> > can see it doing the set_cookie.
>
> > I thought the security of the csrf token relied on the fact that the
> > 3rd party wouldn't know what value to put in the hidden form field.
> > The csrf middleware is, I believe, validating the value in the form
> > field, against the value in cookie. But when it creates the form, it
> > uses the value in the cookie.
>
> > If the token is stored in an insecure cookie, it can be sniffed. Then
> > I don't understand what prevents the attacker from constructing a
> > valid form.
>
> If you want a secure cookie, that means that your entire site (or at
> least the form-handling bits) must already be protected by SSL (since
> a secure cookie will only be returned over an SSL connection).
>
> The threat model you are proposing, then, sounds like this: There is a
> website, running Django, using Django's CSRF protection, in which all
> of the form-handling views are only accessible over HTTPS, but there
> are other resources in the same domain (or its subdomains) which are
> accessible over HTTP.
>
> Further, there is an attacker, who can sniff the unencrypted HTTP
> traffic, and can construct an HTML page at a different site (this is
> Cross-Site Request Forgery, after all)
>
> A lot of the potential damage seems to be mitigated by another check
> in django/middleware/csrf.py, for HTTPS requests only, that inpects
> the referer header of the incoming request, to ensure that the browser
> was not submitting the form from a different site. To get around that,
> the attacker would have to be able to construct a form on the
> SSL-protected site (a serious html-injection vulnerability would have
> to be present), or cause the request to be submitted over plain HTTP
> -- but the site is already HTTPS-only, so there shouldn't be any
> form-handling code listening on that port.
>
> Does this threat model correspond to what you're thinking? If so, I
> don't see away around the CSRF protection (at least, not one that
> involves the victim's browser)
>
> --
> Regards,
> Ian Clelland
> 

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.