I'm learning Django and for this reason I'm developing an application described below.
This application allows users (authenticated and anonymous) to send message to other users.
Authenticated users can send message and can track all messages simply as all application that uses this feature. (like Facebook messages, for example)
The problem are anonymous users. I would an anonymous user can send message to other users but he can track his messages only for his session. Users can also reply to a message of an anonymous user but If an anonymous user lost his session lost also his messages.
The problem is, how can I manage anonymous user and their messages for the session only?
Django supports anonymous sessions.
If your app is relatively simple (it sounds like it is), I would do the following:
Create a standard Django user profile model and link that to the users messages but do not use OneToOne to connect to User.
Use database backed sessions (https://docs.djangoproject.com/en/dev/topics/http/sessions/#using-database-backed-sessions)
Create a temporary user profile model for anonymous users and store
their temporary profile id in their session.
Once a day delete all profile objects that do not have a user AND
whose id is not in the sessions table. A simple way (and what I would do) is have a created date/time field on the profile and just delete any profile that was created two weeks or more ago and has a null user field. I'd just crontab a django management command.
The cool thing is that if somebody registers after using the app anonymously for a while you can use their temporary profile as their profile and they keep their messages.
Related
I am creating a flask app to be used internally in my company. I would like to restrict what a user can do it based on its login ID. I read a lot about using LDAP3 but I don't think I can do what want which send the login ID to the server. There I would have a table which will register which part of the system has the permition to edit. If it try to change somenthing not permited the app will retrieve a warning message.
I won't to do that to avoid having to create a separate login functionality just for this app. I read that I should use AD authentication but I am not very familiarized with that and I would also like to avoid having to ask our IT department to create user groups there for each part of my system.
I know that I can do that using ASP .NET (at least I did once).
Any guidance will be apreciated.
I think you are looking for Role-based Authorization.
In order to use this functionality you will need to implement roles on your model file per the Data-models documentation.
This will allow you to assign users a role when they are created, and you can use a decorator on your routes to 'require' the user to have the role you want them to have before they access the endpoint.
I'm writing a web application with Django framework. This web application is API based and I'm using Django rest_framework. I have a security issue: On the first page, the user must solve a Recaptcha. After solving the Recaptcha my site gives a session ID to the user and after this, the user must post this session ID in the body of all his/her API calls and every API can be called just once with a specific session ID. In other words, I have a state machine for the APIs being called by the user and in each state, the user can call the APIs which have corresponding outgoing edges from that state.
The purpose of all of the above procedures is preventing the user from crawling my website. (User can't call an API many times with a session ID and he/she should act as a normal user and call every API at most two or three times)
Now my question is that how should I handle this in my Django app? Before this, I just used the ordinary Django session middleware for handling sessions. Now should I handle the authentication process and passing and getting session ID completely in a manual way or is there a way in which I can use that middleware that it can be able to handle my procedure.
You can do this with simply with saving your user's state and in each step update your user's state and consider the next states which user can see.
Use custom permission classes for your APIViews to block such request.
Read more here https://www.django-rest-framework.org/api-guide/permissions/#custom-permissions
I know that one can set up authentication with the built in django login(request, user), request.is_authenticated when the user acquires the sessionid cookie, and authenticate(request, username="foo", password="bar").
However, underneath this interface, django creates a User object in the database. I am authenticating using other means, namely LDAP. I can opt for just passing the username and password for LDAP every single time, but having a sessionid token would be ideal.
Is there any way to use the same login(), request.is_authenticated, authenticate() API but without using the User model underneath? Another alternative is fine as well. The one restriction that I have is that I do not want to use another library.
Thanks!
As far as I know, its not possible to use djangos authentication/autorization framework without the User model.
In the part where the docs talk about customizing authentication, it is always centered around the User model (even if it is your custom user model).
That being said, you could look into something really hackish: creating your custom user model that is not stored in the database.
For that you'll probably need custom fields and managers that prevent database calls while still making certain fields available in the model (like email and username). I never tried it, but it should be possible by overriding djangos default behavior in the right places.
But all that effort is probably not worth the trouble. Just write your own authentication backend that automatically creates an User instance on successful authentication against your LDAP source, so you can "harness the full potential of the django User model".
I am working on SPA AngularJS application which allows users to collaborate on projects and stores history of edits for each user. The requirement is to allow unauthenticated users to manipulate data too. Once the user registers, I need to associate her history of edits with the newly created account. The backend is Django.
What is the best option to track actions of anonymous users?
I can create “anonymous” user at the firs visit, issue JWT, store it in the browser and use to track all the user’s activity. Later on when registering user, just update her profile.
The drawback is that there is a potential to get a lot of orphaned users that need to be periodically cleaned up.
This is similar to https://github.com/danfairs/django-lazysignup, but adapted to work with https://github.com/GetBlimp/django-rest-framework-jwt.
Use JWT or cookie to track user session. Allow using session identifier instead of user key to track user’s activity. When creating real user update all references to the session with user’s pk.
Anything else?
From my experience go for solution 1. The orphan user is often not a problem because from business plan point of view it's user and the more is better.
Also having only a notion of user is really simpler. They are users who haven't fully completed their profile that's all.
I creating a page which already login with account's user and has a link to do login with another account. But I have no idea, yet. Anyone have some cool idea?
Django's session engine manages per-user sessions, i.e. each user (auth.User instance) gets a single session, his own.
While that does mean you have to track each user under a single auth.User instance, it doesn't mean you can't create a UserProfile that will implement a custom layer which tracks multiple accounts (I'd use this term loosely) with an single auth.User instance.
That's what you usually do if you accept multiple login mechanisms. For instance, your users may have an existing account to which they can log in using their registered username, password, but they can also login via OpenID or their Facebook account.