django catching http-referer not working always - django

if 'HTTP_REFERER' in request.META and 'mysite.com' not in request.META['HTTP_REFERER'] or 'HTTP_REFERER' not in request.META:
return redirect('/')
if HTTP_REFERER is there and if it doesnot contain mysite.com or if HTTP_REFERER not given, it should redirect to startpage.
my code is deployed over 7 servers, scheduled via loadbalancer, the code in all those 7 servers are uptodate. but still, only sometimes, this redirect is not working.
what may I be doing wrong?
the case, where it is not working:
one newssite published a news about my page and pasted a deep link from my page. and I clicked on that link, and it didnot redirect. I got surprised and checked my code, everything was ok, and clicked again on the link and bingo, this time it did redirect me to startpage. I was happy, I thought it may be a caching or smthg. but later, I clicked on the link and the redirect didnot work again. then posted this question. the case is independent of browser type and version.

Firstly, this code could be shortened too:
if 'mysite.com' not in request.META.get('HTTP_REFERER', ''):
return redirect('/')
Secondly, HTTP_REFERER is not guaranteed to be present. It might just be users are using bookmarks, or browser autocomplete which will mean the HTTP_REFERER may or may not be present in the cases you are testing.
If a valid user of the site who uses a bookmark will be redirected. Likewise an invalid user who gets referred from somedomain.com/mysite.com will be redirected. In this case it might be better to use a startwith() when checking the referer. Is there not a better way you can manage what you are trying to do.
Maybe you can update the question with a little more context. I will be willing to help you as best as I can.

Related

Accessing wildcard page in flask by naked domain from phone redirects to searchvity.com

Hi I'm new at domains and registrars and just stumbled upon a really weird behaviour that I don't know how to tackle.
I built a website with flask (hosted in PythonAnywhere, with domain.com as my registrar). I set things up at domain.com so that the naked domain redirects to the www. version, and it works well for any page in the site that I've defined specifically in my flask like #app.route('/something/').
I had to tweak things a bit so that the naked domain also accepts them without the last slash, like this...
#app.route('/something/')
#app.route('/something')
def something()
# actual code
...but, when I try to access a page that doesn't exist through the naked domain, on computer it doesn't work (404 error, doesn't even show a simple html page) and on my phone it shows a weird random page that after gossiping a bit I realized is by searchvity.com. And I mean, I have absolutely no clue about how on earth that's possible.
Also, the weirdest part of all this is I actually have a route in flask that should manage this (#app.route('/<randomurl>/'), also with and without slash), but as said, that only works when accessing the www. version of the domain.
I know it's kinda a minor issue (since why would anyone try to access on purpose a page that doesn't exist specifically in the naked domain). But it bothers me quite a bit that someone could be redirected to that random site if the conditions are given and they are comming from phone... and in any case it's an issue that shouldn't be there and I don't even know where to start in order to fix it.
EDIT: now apparently the desktop version also shows that same weird page.
EDIT2: The reason I had only 404 on my desktop and not the weird (DNS spoofing?) page was AdBlock.
EDIT3: When the issue happens, the server at pythonanywhere doesn't even see the access data (it's like nothing happened).
Finally I found NakedSSL, which lets you redirect people from your naked domain towards the https version.
I got to add a free SSL certificate on my pythonanywhere page (which is as easy as two clicks), and then on NakedSSL everything is quite straight forward too.
Now I get the proper pages in all the cases (404, wildcard, etc) and there are no more weird spoofing things.

Single-page login in Django app

I'm currently using out-of-the-box django.contrib.auth to handle authentication in my Django app. This means that the user starts at a log in page and is redirected to the app on successful login. I would like to make my app single-page, including this login process, where a redirect doesn't happen, but maybe a "hot" template switch-out or some fancy client-side div magic (that still remains secure). My Google searching turned up pretty short, the closest solution dealing with putting a log in form on every page.
Any direction or ideas here would be much appreciated. I would obviously prefer to work within the existing confines of django.contrib.auth if possible, but I'm open to all solutions.
I'm not sure I understand your question completely. I think you want to have a single page. If so, put logic in your template that checks to see if the user is authenticated. If not, display a login form that POSTS to the appropriate django.contrib.auth view. You can supply an argument to this view to have it redirect back to your page. When you come back, the user will be authenticated, so you won't display the login form.
Have a look at Django-Easy-Pjax https://pypi.python.org/pypi/django-easy-pjax - it works like a charm and is well documented. Everything you like is being made with AJAX requests: links, forms using GET and forms using POST.
Essentially you only need to add a data-pjax="#id_of_the_container_where_the_result_goes" attribute in your a and form tags.
And the great thing about it: It updates the title and location bar of your browser.
One caveat: If you want to upload files in some form, this is not supported by Easy-Pjax, so you might want to use some workaround jQuery library for that.

Django request paths

I've been working through an issue with my django project. The issue is I've got one project, which will retrieve data for users of different clients. I need to know 'from where' a viewer is coming from (request.path [my original solution]). I've been looking at a number of different options which sound close to what I want to do, but I'm not sure what the best option is, not having done this before.
My first option was to add a url in the urls.py with a 'tag' or 'keyword' then look for that tag/keyword in the request.path, which I'd add as a session key. Then go onto get the data.
Something else I started looking at was the sites framework. After reading through the documentation, I'm still confused how sites actually works, so I'm not sure if this is the right option.
Another solution talked about using middleware, this came up in connection with the research into using the sites framework.
And then yet another talked about doing this in apache.
Could some one help point me in the right direction?
Cheers,
T
If you need to know from which URL came your user to your currrent page you should check the REFERER http header, available in request.META.get('HTTP_REFERER').
See http://docs.djangoproject.com/en/1.2/ref/request-response/#ref-request-response for more informations.
Be careful though, the referer meta is not mandatory and could be missing due to private browsing or direct access to the page from the URL bar.
It's not completely clear from your question, but if you're asking for the URL that the user was on before coming to the current page, you probably want request.META['HTTP_REFERRER'].
Edit after comment
That would be a very bad idea. Global variables are not safe given that you potentially have multiple requests being processed at the same time. The referrer is already available from the request, which can be accessed in all views and templates, so I don't know what else a middleware would give you.

local copy of this webpage is out of date

My Web pages causes following error on the browser's Back Button,
It works fine for firefox but not on IE,
IE Says,
Most likely cause:
•The local copy of this webpage is out of date, and the website requires that you download it again.
What you can try:
Click on the Refresh button on the toolbar to reload the page. After refreshing, you might need to navigate to the specific webpage again, or re-enter information.
what should be the cause ?
I'm using Django + mod_python + apache as production environment.
how can I eliminate this error or how to trace any help would be appreciated.
Using GET instead of POST isn't always possible, e.g. when the amount of data exceed the maximum URL length. So, if you want to use POST i would suggest, that you response with a redirect after each POST. Something like that (pseudocode):
def view(request):
form = Form(request.form)
if request.method == 'POST' and form.validates():
# process form data, e.g.
m = Model(form.data)
m.save()
# response with a redirect (e.g. to the newly inserted data, or
# back to the initial page)
return redirect(m.get_absolute_url())
return render_template('template.html', form=form)
The advantage of this is that the user won't get those annoying warnings about resending any POST data you described and that multiple submissions of the same data are less likely to occur (which means for example fewer double postings).
You're not wrong in your suggestion. It's because you've used a POST on that page. If you want people to go back to the page, put a link on the page to take them back to where they want to go, but make sure that they can still view the page properly without having to POST data to it.

Django Admin redirects not working

I am using the latest checkout of the django trunk - when I am in the admin on the "change" page for an object/item, there is a nice little link that says "view on site".
The link points to a url such as:
http://example.com:8888/admin/r/22/15/
However, when I click on that link (or enter that link into my browser) I get redirected to:
http://example.com:8888//example.com:8888/video/15
Which isn't a valid url - but it's really, really close ... the same is happening when I try to get_absolute_url for a comment. I get the short little redirect but it doesn't take me to the right page.
Any ideas why this is happening?
Additional Info (edit):
have tried with 1.1.1 (same problem)
I have one site listed under sites which is 'http://example.com:8888'
I thought maybe it had to do with the port number at the end - but what is strange is the my object's get_absolute_url works without a hitch.
I think the problem is coming from django.contrib.contenttypes.views.shortcut which is doing some funny appending business to handle cross-site things ... which I don't quite understand.
get_absolute_url (for objects)
#models.permalink
def get_absolute_url(self):
return ('video_detail', [str(self.id)])
I figured it out: my site's 'domain name' was listed as:
http://example.com
But the 'http' is what is throwing it off. When I removed it and just listed it as:
example.com
It works. I just have to update my email templates to include the 'http', I think ... unless django comes with a built in for adding that in its sites package. Off to investigate ...