How to handle in django user going back after payment confirmation? - django

After payment confirmation, I can go back to payment page and view the details on what user entered. This should not happen
Tried using java script to disable back button but read few recommendations saying its not a good practice to stop user going back. Not sure if there are any decorators like #login_required in django.
How can I force user to see home page even if back button is click on browser after payment confirmation? Does django provide any decorator for the same?

Related

Avoiding POST forgery on a Django site

I'm experimenting with a way of knowing the specific twitter identities of my site's users even though they're not logged in. And would like the help of the community to find out how I could reduce the possibility of impersonation.
The main idea is that a user comes to the main page, fills a form, and clicks on a "tweet this" button as a way to submit the form. That opens up a popup where the user sees a pre-filled message: "I just submitted this form" and tweets it. This popup resides on twitter.com. No oauth is involved here. When the tweet is done, twitter sends back the id of the tweet that was just created to a javascript callback function on the web page. This javascript function ajax POSTs the form fields as well as the tweet id to a handler on the server.
The server then fetches the twitter information of that tweet including the user info and saves the form info with a foreign key to the user.
What I want to avoid is for an impersonator to come to the page, fill up the form with junk, and manually POST the form including a tweet id to an unrelated tweet from another user.
Django, which I'm using, has something called CSRF tokens to avoid impersonators from doing POST calls without loading the page. But I'm not sure if this would also prevent users who load the page (and see the csrf token) to fake the POST.
The main thing I want to avoid is for people to associate a twitter id that is not theirs with a for that they post.
Looking forward to your suggestions of some creative ways to solve this or to poke holes at my thinking.

How to restrict users from going back to the previous page with the browser "back button" (redirect to a different page, instead)?

I am working on a site that would allow users to post some data. To successfully add a new post, the users need to go through three states: Form -> Preview -> Posted page. I want to restrict the users from going back to the Preview page with the browser "back button" once they have already reached the Posted page (instead, they should be redirected to the empty Form page). How can I implement this behaviour in Django?
I am not sure how you get this desired behavior from Django as you have limited control over the user's browser. However, in Javascript you can use:
window.location.replace(url);
which will remove history, thus preventing the back button from working.
See this stack overflow question about window location:
What's the difference between window.location= and window.location.replace()?
An idea: from your preview page, use AJAX to submit and if all is successful, window.location.replace to your posted page.
I can't speak for how to deal with this using browser technologies but with django you could just set a flag in the session.
# posted_page view
request.session['posted_page_visited'] = True
# preview_page view
if request.session.get('posted_page_visited'):
del request.session['posted_page_visited']
return http.HttpResponseRedirect("form_page")
Using js (window.location.replace(url)) doesn't fulfill this requirement because "replace url" will just replace the page with another one,Ex: if form flow goes from page1 to page2 then page3 then page4 and (window.location.replace(url)) is used in page2 (window.location.replace(page4);) then page3 will never be visited!! moreover user will still be able to go back in the same forward path meaning from page4 to page2...etc
the good thing, you can solve it by using Django session as shown below assuming users will be able to go back and forth as long as form not yet saved, and once its saved they can't go back anymore:
in page1/view function where first part of form is issued create session varaible:
in view1.py
def view1(request)
.
.
.
request.session['forward'] = True
return redirect(....)
in view2.py:
def view2(request):
if not request.session['forward']:
return redirect(..Select whatever page you want to redirect users to it..)
the same in rest of pages views..
in the last page/view where after saving the form, reset the variable:
request.session['forward'] = False
return redirect(..Select whatever page you want to redirect users to it..)
hopes its clear enough
django's form wizard should do what you want:
How it works
Here’s the basic workflow for how a user would use a wizard:
The user visits the first page of the wizard, fills in the form and submits it.
The server validates the data. If it’s invalid, the form is displayed again, with error messages. If it’s valid, the server saves
the current state of the wizard in the backend and redirects to the
next step.
Step 1 and 2 repeat, for every subsequent form in the wizard.
Once the user has submitted all the forms and all the data has been validated, the wizard processes the data – saving it to the
database, sending an email, or whatever the application needs to do.

How to post to a users wall as the App

I have build a Facebook-app that needs to post to the users wall in certain situations. I've come a long way in doing this: it works perfectly, even when the user is not logged in. However, I need to post to the user's wall on behalf of the app, not the user himself. The reason is that posting as the user will not trigger a notification.
Does anybody know how to do this?
This is not possible; apps cannot post to the profiles of users - if you want someone to come back to your app, you could use a Request which will increment the counter on the user's bookmark for your app, but it's not possible to post to a user's profile 'from' a page or application

Post a form with urllib and move to that page like a web browser

I want to POST a form manually using urllib and redirect the user to that page as if he had clicked the submit button in a web browser.
The reason I'm doing this is because before submitting a payment to paypal, I need to store some information into the DB. Then I want to handle the user to the paypal website without having him to click again in a "Buy now" button.
I'm using Django, if this matters somehow.
is this possible? thanks
This tool might help you: http://wwwsearch.sourceforge.net/mechanize/

django-registration with paypal integration

I'm trying to figure out how to integrate django-registration with django-paypal. Being a Django n00b, I'm trying to figure out how to implement a flow like this:
User signs up using django-registation with 'active' flag set to 0
After registering, send user to PayPal for a subscription
When they come back from PayPal successfully, I want to set 'active' to 1
I've been looking at the django-registration documentation and don't quite understand how to use different backends or implement a flow the way I want.
Any tips on how to accomplish this would be greatly appreciated. django-paypal won't be a problem for me as I've done PayPal integration before (in PHP for a self-published book about CakePHP).
To have registration not send an email you pass send_email=False to the RegistrationManager.create_inactive_user call in your view to register a user. After you create the user, you probably want to create a landing page with the paypal buttons for payment. Instruct the user to click a payment button to pay. Generally I send the user.id in the custom field for the payment button.
Then, in django-paypal, use the IPN signal handlers to activate the user based on the user.id in the custom field of the IPN query. You might want to send a modified registration email at this point, welcoming the user to your site and telling them you have received payment and have activated their account, but those are details for you to define.