I'd like to create a tooltip bubbles for my site for new users - many other sites do this (most google apps). I'd like to show them for all accounts created within the last week, unless the user specifically 'dismisses' the tip.
I thought about doing this with cookies - ie. set a "-dismissed=True" value that I could check as well as the account creation date and determine whether to show the tips.
However - this doesn't work across browsers, since cookies aren't shared between browsers. So if a user logs into chrome, dismisses the tip then logs in in FF the tip will reappear.
Does anyone know if there is common way to do this sort of thing? Or at least a better way than what i've described?
I'm using browser length sessions so I can't store it in the session.
You could have a user preferences model, with a one-to-one relationship to the main user model, which stores preferences like this. Create an instance when the user entry itself is created, and default the 'show tips' field to True.
You could also use the new custom user model functionality in 1.5 to store this in the user model itself, but that seems like overkill here.
Related
I want to be able to allow certain staff users the rights to add other users and staff but what seems weird to me is that 1) a staff member can just change their own privileges to superuser or just make a new user and grant superuser privileges to them. 2) delete a superuser or revoke their superuser status
Some staff users should be able to modify/create/delete users but they should not be able to delete super users nor assign permissions to themselves or other users that they do not have the permission themselves.
This has always been logic I have incorporated into my user systems that I've written in PHP and I was just wondering if there was a way to change these settings in Django as I really like Python/Django (I'm just beginning to learn it) and can see myself migrating away from PHP. But part of the beauty for me lied in the admin panel and if that is something that cannot be changed, that's kind of cringe-worthy.
It reminds me of a restaurant POS system that I used to use when I was a GM. As the GM, I had powers that shift managers did not have. However, the shift managers could add a fingerprint to my profile (theirs) and then just log in as me and do anything they wanted to. I always felt this was a severe security breach and even took disciplinary action on an employee for doing this. It also allowed the shift managers to create new employees with titles that were above theirs which created the same problem as they could just create a new GM or Area Manager, login, do whatever they wanted, and see all kinds of things that they shouldn't (like their colleagues' salaries), and then hide (not delete) the user. (this is how he got caught)
If anyone has a fix or any ideas and suggestions, I'd love to hear them and keep learning this exciting new language. Thanks in advance!
Django admin is a basic CRUD system, it is not recommended to use in that way. Django views (your custom views) give you more power to control the process.
First of all, Django Permissions might be a good start point. Create Groups for user types and assign desired permissions for each group. Do not give permission for non-superusers to change group or permissions.
Second thing is using Django Signals to check data before saving it. For example, a pre_save signal for User creation can be used to check if is_superuser, is_staff values of the user are set by non-superuser. You can add added_by value to the user model and verify your checks using this value.
Also, using custom forms for Django admin is also possible and might be the simplest solution for it. Just make a custom form for creating and editing users and verify changes in the form directly before allowing the view to save anything. It is also possible to inform user that they don't have access for changes they made and also notify the management about the attempt.
I apologize for my English it is not very good.
I am developing a website that will have own followers.
I need to create a button by followers such as facebook, twitter or google plus buttons.
Thank you for any information that will allow me to begin to develop the button next to the platform.
Thank you
First, your English is fair enough. For creating your own follow button you will have to have an image that will be displayed on your website. When someone clicks on that button, your webapp should be able to know who clicked it and your should be able to remember that user in future as well. So first you will have users to register on your website (like facebook and twitter) for unique identification of each user.
Next, for remembering that a particular user is following your website you need to persist some information about that user. The obvious approach is having a database table to store the information. For instance you can have IS_FOLLOWING column in your USER table
But there are some considerations. First, the user must remain on the same page or be able to continue his activity even after cicking the follow button. For example, if the user is filling some form then his data should remain intact even after clicking the follow button. If the user is directed to some other page, he might lose information.
Second, database operations are costly. So you need to use them wisely.
One approach that I could think of is having AJAX do the work. If you want to learn AJAX you can visit this website and for AJAX database operations this one will be helpful.
Ajax will do all the work in background and both the problems mentioned above will be addressed. I hope this was helpful.
On the site that I'm developing we need to track the last visited page for each user (users login to the site). What's the best way to do this? We are already using a custom profile so adding a new field is easy. The site will not have a lot of traffic so updating this field wont be an issue, i think. Are there better ideas? Does sitecore already offers something that we can possible use?
OMS has a "Top Exit Pages" report by default... but that is tracked across sessions, not users.
A good IIS log parser should also be able to give you this information... again, that would be by session (or IP) and not logged in user.
If you really want to get every exit page AND filter by logged in user... what I would do is add a new pipeline processor to httpRequestBegin, and place it after the ItemResolver. Then save the Item.Paths.Path. I would advise against writing this data to the user Profile if you are using the default ASP.NET Profile handler and you have a decent amount of traffic, because it is highly inefficient. Roll your own simple storage solution here, or just dump the data to a log.
My first question would be: Why do you need only the last visited page of the user? What are you trying to determine?
In a lot of cases, you are probably starting down an analytics route, or perhaps even trying to drive some marketing.
If the analytics is what you are going for, you can probably just pop an event out to your google analytics account with the current username as an event variable to allow you to look at analytics by user and by page. Alternatively, you could use the Sitecore OMS/DMS features for tracking all that data and looking at the analytics there.
If you are looking at driving marketing, you probably want to use OMS/DMS, especially if you want to start getting into personalization or engagement plans. OMS/DMS will track user activity, and all the pages they visit, though not by user account. With some customizations, you can probably add that data in, but it will depend on what you are trying to use the information for. The username may not be what is important to you.
If, however, you just want to know what page to send the user back to after logging them in, it would be better to just store that in session or pass as a post parameter if session is not a viable option for you.
I'm doing my first steps with ColdBox and I just got stucked. I have two database tables, users and firms and each user belongs to one firm. After a user logged in to the application, he can list every firm, but can only edit the firm he belongs to.
So how can I manage that the user only has an edit link for his firm? And how should I secure the firm handler and edit action?
I'm working with ColdBox VirtualEntityService and Coldfusion ORM. Should I write a function in the UserService which validates the users permission?
Your edit permissions should be part of the session somehow and your view should contain some logic as to wether a firm is "editable" and display the edit link. Of course your controller will need to double check the user permissions when someone actually uses the edit link to make sure they do indeed have the permissions they need.
This seems like a sort of "standard logic" question and has not so much to do with Coldbox. I'm not a CB expert but I don't think there's something specifically native to CB that handles your case. This is simply about writing good controller and validation code and figuring out what to store in your users session.
Scenario:
I have an administration-application which manages the user accounts for another application. Now I would like to place an user-specific-link (e.g. Click here to login with user1) in the administration-application allowing the admin to directly log in with the user in a separate browser window or tab (target="_blank").
Problem:
When the admin clicks two or more links and opens two tabs with tab1=user1 and tab2=user2, the last clicked tab overwrites the session-variables of all other tabs. Sure... that's how sessions work, but I wonder if there is a way to let the admin manage multiple user interfaces with one session in multiple tabs? But I don't see a possibility to identify a specific tab in the browser so that I could say "in tab1 is user1 and in tab2 is user2 logged in ...
Question:
Has anyone done something similar and likes to share the basic idea of solving this?
EDIT:
One possible solution could be to add an parameter to the URL with the userid and hand it through to every page, right?
As your edit points out, the way to do this is with a url variable that specifies who the user should be.
There are a number of security issues with this approach tho.
I'm assuming that your initial link is doing some sort of security check to make sure that the initial "log in" of the user is an authorized request. You'll need to do a similar thing for this method. If your initial request is something like http://example.com/page.cfm?userid={id}&authtoken={encryptedtoken} I would then put that userid into the session scope as a valid userid that the admin can impersonate. The more links they click on the more users they can impersonate. On subsequent requests you check the requested userid against the allowed list in the session and either allow or deny the impersonation.
You'll also need to update all the links on the site so that they include the userid in them. The easier way to do this is to cheat and user jQuery or such to rewrite all internal urls with the userid appended. You would conditionally include that javascript based on the above check.
Lastly you'll likely want to prevent these urls that include the userid from appearing in search engines, if it's not a fully locked down site. You'll either need to use canonical urls to remove the userid, or set x-robots headers to tell search engines not to index the urls where the userid has been specified; or both.
That's the most primitive method of getting different "sessions" for multiple users in the same browser. However you'll then bump into issues if you're using the session scope for anything meaningful, because each tab will try overwriting the other. You'll need to overwrite the normal site session variables on each request, or you'll need to create different structures in the session scope for each userid that is used. How much of a problem this is depends on your application.
It's a do-able thing, but probably a lot more work then you were hoping for.
The other option is to get the admins to use Google Chrome with multiple profiles and copy and paste the login url into different profile windows. A slight inconvenience for them, but a lot less work for you.