How to encrypt or Obfuscate REST API URL in Django - django

Hello Django REST API Experts,
We are building University Course portals where app offers various user types like Professor, Students and Admins using DJANGO/REACT. We are using REST API to connect between backend and frontend.
So, far we are able to perform some basic operation and it really works great. However now I need help from this group to do following:
When students enrolled in course it generates an acknowledge document stating course description, and its prerequisite which needs to get signed by students to ensure student acknowledge they fulfill these requirements.
In order to do this we have following:
Model for each course which contains the Content, Description and Prerequisite for each course.
StudentCourseAck Model which has FK to Course, Signed Boolean field, Binary field to store signed doc.
User flow:
Student logins to portal,
Select the Course, which generate StudentCourseAck entry.
Let Student review document and signed the document (on client side using sign pad).
The Signature gets stored in PDF (as binary field).
So far so good…
Now we want to enhance the featureset which allows admin to email student the link of studentcouseack document incase its not signed before course start. Also this link should only be valid for 48 hours or else it will expire.
So we need some help to enhance these featuresets as follow:
Current the API is exposed to frontend like: mysite.com/courseack/studentid/documentid
However we want to encrypt this so the link look like this: mysite.com/uniqueid
Where uniquid is mapped to /studentid/documented
So I have following design question:
Question 1: Should we enhance StudentCourseAck which store the UUID for each document?
Question 2: If I store UUID for each document, how do I make it expire once its generated?
Question 3: When Student is finished signing, I need to update the document into database to ensure that right document is saved to right student profile, so how can I ensure this security requirement.
I would really appreciate some expert opinion or some guidance so we can proceed this feature implementation. Any other alternative which is simpler and easier to maintain.
Once again thank you for your time and consideration.
Thank You.

Any other alternative which is simpler and easier to maintain.
Keeping the above phrase in mind I propose this solution.
Firstly I will not consider this as a DRF problem but as a general problem and proceed to answer your Questions.
The simple solution lies in 4 steps
Create a UUID field inside StudentCourseACK so that you can map this uuid with your url mysite.com/uniqueid, catch the document id inside the StudentCourseACK record as a foreign key and also create a created_at inside the model (this will be required for expiry timer)
Make a view inside your views.py that takes this StudentCourseACK UUID as a url parameter where you will have to fetch courseack, studentid and documentid from this StudentCourseACK mapping table and redirects it to mysite.com/courseack/studentid/documentid. When you link this view with your url pattern make sure the listing is at the very bottom.
To make an expiry timer you can check the created_at date in your StudentCourseAck record for 48hours limit before redirecting inside Step 2
Finally when the student is redirected to the mysite.com/courseack/studentid/documentid endpoint you will have to follow a simple process of getting the StudentCourseAck data via .filter(studentid="some value", documentid="somevalue") and make changes to this data accordingly.
Another thing that I realise is that you can completely ditch the long mysite.com/courseack/studentid/documentid url and correspond it's logic inside the new view, but I assume that you want to keep it that way.

Related

Django Questionnaire app

I guys I am very new to Django and app dev and I am having trouble to structure my app.
I am creating an app to send team questionaire.So wokflow is the following:
1) I create a team_project (Team_name)
2) Send Invitations to team members using Emails
3) Based on that invitation Team_member signIn (creating a new user) and are directly assigned to that team created.
I have no idea how to handle that and especially part 3
If you could give me a direction how to do it I will really appreciate
Thx you very much
What you want is a common requirement, so perhaps there is already a library or solution for it.
to write the code from scratch, which is not recommended,
You can define a custom url , like example.com/join_team/some_random_looking_unique_string/
create a model which keeps a random string, email , and maybe some kind of expiration policy. Read the unique string in your view, and retrieve the record associated with it. send a form to get more details like password and etc and save the user in database.
I also found this repo that I think does what you want:
https://github.com/bee-keeper/django-invitations
explain more in your question, and you can get more detailed answers!

joomla 2.5 custom extension about users

I want your help to solve a problem in a site.
I know that when a user makes a subscription in the site through joomla log in form , it is stored in a table in sites database.
I want to the user to be stored in a custom table that I will make and it will be somewhere in the site.
The result I would like to be like this:
The site is for a school. Each student will made a subscription and his/her name will be stored to a table with lessons of the school. The teachers will log in the site and they will have to put the test results of each student in each lesson in this table.
it will be like:
lesson 1----lesson 2-----lesson 3
user's name 1-------- grade----grade----------grade
user's name 2-------- grade----grade---------- grade
You will need to look into custom component creation. As it is quite a simple component, the available component creators may do most of this for you. However it makes sense to understand the basics of how a component works first so that you know how to tweak and test it.
Simple components like this are ultimately just data entry into a single table, which is what most tutorials will cover. Components get more complex when interacting with other components or require more tables.
If students do not need to log-in to the site (and if they are unlikely to in future), then they do not need to be made users, but rather can just be a component item which is created by the teachers when they enter the data. If students need to log-in, then the id of the #__users table should be the match field in the new table.
When adding users to a site, it is important to make sure their permissions are set correctly so that they cannot access inappropriate data or make changes that they are not permitted to.
Also : If you are storing private information, it is particularly important that you keep Joomla patched for security - 2.5 is now rather out-of-date.

How to get django model relations using JSON?

I had no idea how to structure an accurate title for this question, but I did my best so please bear with me.
I am working on a app for my hockey team that consists of a django app and an mobile app that communicates with the django app using JSON (django-rest-framework). However, one problem I am struggeling with figuring out how to solve is as follows:
You create a user (using Token Authentication), and then you create a player and/or a manager.
However, what I am struggling with is what to do when an existing user logs in. How do I check whether or not there is a player or manager associated with that user? When I log in, all I get in return from the rest framework is that user's authentication token, so from a programming perspective, I have no clue what user it actually is since I dont have the user's Id. Even if I did, how can I look up players by anything other than their Id? Currently the only idea I have is to grab all players and loop through them to find one with the same email address as the user currently signed in has.
Hope this made some degree of sense!
Thanks
This isn't really a question about JSON.
Surely the token is associated with a user ID? I don't use django-rest-framework, but the documentation for TokenAuthentication is pretty clear that once the user logs in with their token, you'll get a normal auth.User instance in request.user just like you would with a standard web-based login.
Your second question is probably made irrelevant by that, but even so, you can always query by an email address, without needing to loop through:
Manager.objects.get(email=my_email_address)
Again this is standard Django querying - if you're not familiar with that syntax, you should do the Django tutorial.
Of course, since you have a User already, you can do a more efficient foreign key lookup:
Manager.objects.get(user=request.user)
or even
request.user.manager
(assuming you have a one-to-one relationship from User to Manager - it would have been helpful to see your models).

Does Django store information about who has edited and/or created a record, and if so, where?

Django has an authentication and authorization scheme baked in ('django.contrib.auth') as well as modelforms to generate forms for easy input of data into the database.
I'd like to be able to record who created a record, leveraging django.contrib.auth, with the explicit purpose of limiting editing of that same record to just that user and/or people with an "edit" permission. I know that I could use the #user_passes_test decorator to restrict access to editing my record in some fashion, but I don't know what I would compare the request.user.name to in order to determine if the current user originally created that record.
How much of this do I need to roll on my own? Do I need to capture the name author, save it to the model, and then read it - or is there something already in the framework that would do this for me?
And, if I was to attempt to save the author in a field, how would I go about doing that in such a way as to not let the user edit their own credentials?
There are a couple of apps to do something similar, please check https://www.djangopackages.com/grids/g/model-audit/
About the last questions, to prevent the user not to edit its own credentials, you can mark the field with editable=False so it wont appear in the admin or ModelForms.

How to post data to another website without using any browser related component?

I have a page where user is asked only for the payment amount, then user will be redirected to another website where the payment will be processed, I want the amount to be set on the redirected page without using querystring,cokkie, etc..
I tried to use web service but here is my challange:
user enters amount on the website.
webservice is called and set the amount to ex:400$
then user is redirected without any query string to another website.
Now:
how this payment website will know that this user is the user entered 400$ on the redirecting page?
I can count on approaches more secure than this also.
thanks
I have made some research on net and asked my experienced friends, the answer is "impossible" this way.
Because redirected website somehow identify that user and there is no solution without querystrings or browser related components,
Here is my friend's advice and i am little bit satisfied, not totally :)
He calls this approach as ticketing,
First create a datetime.now integer, with that number add id and amount of money to be processed.
Then make a complex function to encrypt data. take square of every odd digit then divide to 7 etc.
then on the other website, decrypt data and check datetime if its within 5 minutes for example,
the link is valid.
You have to pass the data to the other website somehow.
Cookies wouldn't work due to domain restrictions.
Query string or form posts could work, but you don't want to use query strings.
Alternatively, if both sites share infrastructure, you could use that to share information - for example if they both have access to the same database, you could use that to share data (though you would still need to identify the specific user to both sites).
The way the service would have to work is to give back some token, probably a GUID, that the site will then look for in the querystring of an HTTP request, to identify the owner of that pre-populated data. You then tack that token onto your redirect, and the client makes a request that causes the payment site to go pull the pre-loaded data for that client.
You still have to use a query string, but now, the query string doesn't contain any human-consumable information; they can't identify their $400 amount in the query string and change it to a different amount of money. If they change the GUID at all, the request will most likely fail as that GUID won't exist in whatever datastore of pre-populated data exists behind the payment site.
Contact the website/web service/gateway. They will provide you the API which will define parameters and methods to accept payment amount. If you are the author of such service, provide mechanism to accept such parameters from your caller application. Communication should be secure, using SSL.
For example for payment gateway Paypal, check this for ideas:
Use of the PayPal payment system in ASP.NET
Have a look on wikipedia.
Shortly the answer is impossible this way, because somehow the redirect website should identify the user, all the ways are browser related or ip ( which can cause many issues later)