Avoiding POST forgery on a Django site - django

I'm experimenting with a way of knowing the specific twitter identities of my site's users even though they're not logged in. And would like the help of the community to find out how I could reduce the possibility of impersonation.
The main idea is that a user comes to the main page, fills a form, and clicks on a "tweet this" button as a way to submit the form. That opens up a popup where the user sees a pre-filled message: "I just submitted this form" and tweets it. This popup resides on twitter.com. No oauth is involved here. When the tweet is done, twitter sends back the id of the tweet that was just created to a javascript callback function on the web page. This javascript function ajax POSTs the form fields as well as the tweet id to a handler on the server.
The server then fetches the twitter information of that tweet including the user info and saves the form info with a foreign key to the user.
What I want to avoid is for an impersonator to come to the page, fill up the form with junk, and manually POST the form including a tweet id to an unrelated tweet from another user.
Django, which I'm using, has something called CSRF tokens to avoid impersonators from doing POST calls without loading the page. But I'm not sure if this would also prevent users who load the page (and see the csrf token) to fake the POST.
The main thing I want to avoid is for people to associate a twitter id that is not theirs with a for that they post.
Looking forward to your suggestions of some creative ways to solve this or to poke holes at my thinking.

Related

Issue with POST email, returning to same page, templates and httpresponse

First of all, I only started using Django a week ago... so pretty new :).
I have a one page website. At the bottom there is a contact form. I am using different components for the website, so for the contact form I have 'contact.html' which is loaded into index.html via {& include ... &}. When someone sends a message via contact form, after click send, the user returns to the same page but with a thank you message instead of the contact form (see screenshot).
The issue is that I need to 'kill' the process going on underneath because if I reload the page a message pops and if I resubmit, email gets resend again (see screenshot).
I have had a look at httpresponse but I am unsure how to replicate the same process. Anyone could help?
This is a screenshot of contact.html and views.py
Two things.
I would first consider using a front end framework such as react. (will make your life easier)
Secondly, your code seems fine, you are sending the email twice because you are submitting the form twice.
perhaps redirect the user to a different page upon submission. there is no need to reload the page yourself.
I would have a form, then a confirmation page.
Better yet, write an api, and upon response from the server simply create a popup saying success/fail etc...

Django auto submit form?

I want to know if I can submit a form in django without user interaction so that it acts just like when a user posts a form. Here is my situation:
User submits data to payment gateway.
Payment gateway responds with data which has to be validated.
User redirected to payment gateway and more data has to be posted to gateway.
One option for me is to render another form for the user after step 2 which can then be used to post the data and redirect for step 3. However the user has to click a button again.
I couldn't find anything relevant to my situation about submitting forms with django.
Is there a way I can do this without the user interacting again for ease of use?

How to keep form data through login process?

To optimize my page I want users to be able to fill out forms without being logged in, but then ask them for their password upon submission. I already know I can use &next= to redirect the user, but then all the POST data of the form is lost. Is there any built in way to have the user login and then resume to where he has been including post data he just sent?
If you have also file in form, then session is not useful for you.
Second solution is save data into models and after login, you can use saved data to link with logged in user as said by #doniyor.
The best way is to use django-formwizard.
Django comes with an optional “form wizard” application that splits forms across multiple Web pages. It maintains state in one of the backends so that the full server-side processing can be delayed until the submission of the final form.
Here the link.
https://docs.djangoproject.com/en/1.7/ref/contrib/formtools/form-wizard/

Django: what are some good strategies for persisting form input across login?

I have a webapp that allows authenticated as well as anonymous users to start entering some form data. If a user is happy with his/her input, he/she can save that form to the server. This is a very similar problem to a shopping cart application that does not require login until checkout time.
For the authenticated user, implementing a save button is trivial. However for the anonymous user, the form data need to be stored somewhere while authentication is taking place, then correctly retrieved after logged in. Can someone please suggest some general strategies to go about this?
I found this link that is promising but I want to be thorough about this topic.
I think the correct way of doing this is to use django sessions. Basically each user (anonymousUser included) has a session during its stay on the website (or even more).
If you have a form that you want to store for a specific session, you can do it by using
request.session['myform'] = form
you get it by
request.session['myform']
and you can delete it using
del request.session['myform']
Basically Django pickles a dictionary of the session and saves it in a place (typically the database, but can be on other place as explained in django sessions).

How can I allow my users, who create pages on my website, to communicate back to those people who click the Facebook "Like" button on their pages?

OK, apologies for the verbose title. Let me give the background in a bit more detail.
My website allows my registered users to create new pages, each of which has its own unique URL. Each page has a Facebook "Like" button on it. I've already implemented Facebook Open Graph API meta tags so that the pages are proper open graph objects, and when some other visiting Facebook user "likes" the registered user's page, a post appears on that Facebook user's wall saying they have liked the page. The Facebook Like widget also displays the number of "likes" that page has received as normal. So far, so good.
What I want to do is allow my registered users to be able to communicate back to the Facebook users who have liked their page. The community of "likers" for a page is a potentially valuable social media resource to the registered user, if only they could communicate back.
I am aware of the "admin page" link you get beside the Like button, which can be used to post to these people, but that is not an option for my registered users as they have no privileges in relation to the Like button.
What I want to do, if possible, is setup a form to capture the registered user's message back to the Facebook users, and then my website sends the message on their behalf, without having to ask for any extra privileges from the Facebook users.
The following Facebook documentation pages seem to say this is possible, but having followed the Open Graph API documentation, I can't get it to work as described - http://developers.facebook.com/blog/post/465/ and http://developers.facebook.com/docs/reference/api/ ("Publishing" subsection). I can get the access token correctly in the first request, and plug that into the second request to do the post, but that doesn't seem to do anything and doesn't return any error.
Since it doesn't work for me, I'm wondering if this is possible as described, or do I need to get some sort of extra permission to do this? I've seen reference to offline_access permission but as I'm new to this stuff I am not sure how it would fit in. If I have to get the Facebook users to grant permissions, this is not going to work as envisaged.
Any thoughts would be most helpful.
The short answer: No, You will never been able to post on someones wall as another user.
The long answer:
You could try to ask for offline access but then you are asking the user to hand over all their facebook data and give you access todo whatever you like their accound, so that is not likely to happend.
The next problem is that they have to be friends to be able to post on each others walls.
Thats why Pages was implemented, so that organisations could announce/talk with the people interested.
However if you have created the like button correctly and give the pages correct meta data, you are able to post to user who have liked it.
Scroll down to Publishing:
http://developers.facebook.com/docs/opengraph/
Just add a form for your user and let your system publish to the correct page, you probably will need a offline token from your own account or similar to use on the server.
Another more complex way could be to generate a facebook page for each page you have on your server.
When the user creates a page on your system a page is created on facebook but as your app as admin.
And when another user likes the page they like the facebook page, hence you have the possibility to post in that page and speak to the user who liked it. (whooa thats a mouthfull).