I have an HTML form in my Django web application (NOT implemented using Django forms) that does POST request.
Now I want to implement a feature so that other web apps, not necessarily django, from different domains, can send some data to my application and get redirected to the web page with this form, partially filled with that data (the data can be JSON).
Besides redirecting, after the user clicks submit on my form, I would also want to send a message to the other server with some short text information.
I am not sure what is the best way to implement this. REST interface like Piston?
Could you give me some general directions I should follow?
You should create a view that handles the POST data from the form and the external web apps.
You should be able to check whether the data you are getting in the view is coming from your site or another by checking request.META['HTTP_REFERER'].
If it is from your site, you can just handle the form as you usually would.
However if it is from an external site, you would instead render the template with the form in it. You can put the information you got from the external site into the context, so you can pre-fill the form in the template.
You should also include a flag in the form to say that this was from an external site, something like:
<input type="hidden" name="external_site_url" value="{{ external_site_url }}">
After that form is submitted, you can check for the existence of external_site_url. If it exists you can then send the message to the other server.
Note, because you want other apps to use your view, you'll have to disable CSRF protection on the view (https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#csrf-protection-should-be-disabled-for-just-a-few-views).
Also, by allowing other apps to use your view, you are opening yourself up to a lot of possible attacks. Be very careful with input validation and only give the view the ability to do the things it really needs -- you don't want an external app to be able to delete entries in your database for example.
Related
I am trying to build a conversational form with Django.
It will be used in landing page. The form questions will be loaded one by one as user answers them. And there will be some greeting and "human-way" responses to user input (such as "wow! you did a good choice!" after user selects one of the choices from form). The experience and look of the app will be like a real-time chat but user can only select one of the choices from form or upload a file/image.
1. Which technology is better to use for it? I am planning to do it with Fetch.
2. Since I want it to work without page reloading, how do I need to load Django forms through Fetch? Do I need to pass elements of it with JSON and construct it in client-side or can I just pass it as an html with {{form.as_p}} and display it in HTML?
Does these options make difference in matter of security?
I do not know anything about Fetch, but anyway I think it must be constructed clientside, but at first I would simply display the form in a template to get the ids of its fields and then use it in clientside code.
What about security - you'll need to pass the csrf token via your form.
I have project in Django with already written pages. I want to rewrite some of them and put html content using Ajax in Modal window from Twitter Bootstrap. These pages should be internal(access from browser should be forbidden). Is it possible in Django?
You can check request.is_ajax() in the view and send back a different template. I usually do this with passing in a different context variable for the base template that doesn't show any of the usual header, footer, etc. content.
I am using django-allauth for one of my project. I would like to implement login/signup process via ajax. I would like to have customized signup form. I was going through their signupmixin and signup form. Sounds like I can write custom views for each action and map it to the url config. I am not sure what is the best way to do this.
Thank you so much for any help or advice on this.
It depends a bit on what you mean by ajax. If you just want to have a popup-style login/signup box on every page, then you can simply add the form to your base template and show it dynamically using Javascript in a popup box or so. If you keep the form action url to the original allauth urls then this will already give the feel of an ajax signin. You could also tweak things by using $.ajax or $.post to post to the original allauth views.
Something like the above is done on http://officecheese.com/ -- this is an allauth based site, though I am not affiliated with it.
If by ajax you mean that all authentication related views should be displayed via ajax, without causing a new document reload, then I am afraid you are a little bit out of luck. This simply is problematic for scenario's where e-mail verification, or OAuth handshakes are involed, as here you are typically navigating to a new URL from your mailbox, or redirecting to Twitter and so on.
I have a django site that has a donate form on it. This site handles only the internal donations by the organization. They have a public facing site that is not django driven. They want to have the same donation form for public users to submit donations through and have it get posted into the djagno sites database.
Is there anyway to have a non django site post form data to my database? Can iframe handle something like this?
EDIT:
The other problem I have is that this form has logic built within it. Based upon their address I trigger an ajax request to give a list of possible choices from the database for a select field. So this may further complicate things
The only problem will be with CSRF protection. You can't implement CSRF if you actually intend posts coming from an external site. Just decorate your form handler view with csrf_exempt.
I am writing a mobile application for a django website. i understand that every form in django has a CSRF token key for protection. when use browser to navigate the site, the server render a key for the user.
What i am confused is for mobile application, we dont need view the presetation layer from the site. I just wanna do a HTTP post to send data. I know i can use csrf_exempt to disable the csrf for that form. or i can make another view to render the csrf token for me, but this way i need extra parsing and http request. so is there a nicer way to do it?
Thanks for your time
If your mobile app is rendering a template you can add {% csrf_token %} into the template that renders the form. If you're not using a form and instead just posting data you can create the token as above and then simply post it's value with the data. And if you're not using a template to create the mobile app's markup well then use csrf_exempt (if say you're just posting data to the server periodically).
Obviously there has to be a view to process the posted data, but even if you're using a generic view for that you could still wrap that view (in your urls.py for example) and gain the use of csrf_exempt