Prevent URLs from being called directly

Thread: Prevent URLs from being called directly

Search this list only Search all lists
Prevent URLs from being called directly
United States	2007-03-30 05:01:44
Hi, I have a function in my views.py that expects POST data from a form. As long as this function is called correctly, i. e. from within the form, everything works fine. But if I call this function directly by typing it in the URL, I'm getting an error page complaining about missing data (which is correct and okay for me, but may possibly seem a bit strange for an end user). I wonder if there is a standard way in Django to prevent URLs from being called directly. Helge --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-usersgooglegroups.com To unsubscribe from this group, send email to django-users-unsubscribegooglegroups.com For more options, visit this group at htt p://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---

Re: Prevent URLs from being called directly
Australia	2007-03-30 05:16:22
On Fri, 2007-03-30 at 03:01 -0700, Helge wrote: > Hi, > > I have a function in my views.py that expects POST data from a form. > As long as this function is called correctly, i. e. from within the > form, everything works fine. But if I call this function directly by > typing it in the URL, I'm getting an error page complaining about > missing data (which is correct and okay for me, but may possibly seem > a bit strange for an end user). > > I wonder if there is a standard way in Django to prevent URLs from > being called directly. That's not really the way the web works -- you can't reliably tell the difference between called from your form and called directly until you start looking at the data. The view function should check if the required data is present and, if not, return an appropriate error page. You could even check that it is called as a POST and return an error if they don't do that, too. Regards, Malcolm --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-usersgooglegroups.com To unsubscribe from this group, send email to django-users-unsubscribegooglegroups.com For more options, visit this group at htt p://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---

Re: Prevent URLs from being called directly
Germany	2007-03-30 05:25:15
On Fri, Mar 30, 2007 at 03:01:44AM -0700, Helge wrote: > > Hi, > > I have a function in my views.py that expects POST data from a form. > As long as this function is called correctly, i. e. from within the > form, everything works fine. But if I call this function directly by > typing it in the URL, I'm getting an error page complaining about > missing data (which is correct and okay for me, but may possibly seem > a bit strange for an end user). > > I wonder if there is a standard way in Django to prevent URLs from > being called directly. You can use the require_POST decorator to ensure that the view has some POST data. IIRC it responses with a 405 error if the POST data is missing but that's not displayed as an error message to the user. Maybe this can be enhanced. Arvin -- Arvin Schnell, <aschnellsuse.de> Software Engineer, Research & Development SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-usersgooglegroups.com To unsubscribe from this group, send email to django-users-unsubscribegooglegroups.com For more options, visit this group at htt p://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---

Re: Prevent URLs from being called directly
	2007-03-30 05:39:36
On 3/30/07, Arvin Schnell <aschnellsuse.de> wrote: > > On Fri, Mar 30, 2007 at 03:01:44AM -0700, Helge wrote: > > SNIP > > I wonder if there is a standard way in Django to prevent URLs from > > being called directly. > > You can use the require_POST decorator to ensure that the view > has some POST data. > > IIRC it responses with a 405 error if the POST data is missing > but that's not displayed as an error message to the user. Maybe > this can be enhanced. > > Arvin Another idea would be to redirect to the form page. So, process the data if it exists, or redirect the request to the 'proper' from page. Regards, Cam --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-usersgooglegroups.com To unsubscribe from this group, send email to django-users-unsubscribegooglegroups.com For more options, visit this group at htt p://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---

Re: Prevent URLs from being called directly
United States	2007-03-30 05:50:46
Hey guys, Thanks a lot for all your answers! Helge --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-usersgooglegroups.com To unsubscribe from this group, send email to django-users-unsubscribegooglegroups.com For more options, visit this group at htt p://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---

Re: Prevent URLs from being called directly
United States	2007-03-30 15:12:57
This situation is greatly helped if the same view displays the form as well as processes it. So it could look something like this: def write_entry(request): form = EntryForm() if request.POST: form = EntryForm(request.POST) if form.is_valid(): ... save entry, redirect to new page... return render_to_response('entry/write.html', {'form':form}) In this way, if they just type it in as a GET, they'll go to the form page. If they're submitting the form, then it will be validated and either return to the page with errors, or save the new entry and redirect to the new page. This paradigm isn't valid in all cases, but when it works, it works well. On Mar 30, 6:39 am, "Cam McVey" <cam.mc...gmail.com> wrote: > On 3/30/07, Arvin Schnell <aschn...suse.de> wrote: > > > > > On Fri, Mar 30, 2007 at 03:01:44AM -0700, Helge wrote: > > SNIP > > > I wonder if there is a standard way in Django to prevent URLs from > > > being called directly. > > > You can use the require_POST decorator to ensure that the view > > has some POST data. > > > IIRC it responses with a 405 error if the POST data is missing > > but that's not displayed as an error message to the user. Maybe > > this can be enhanced. > > > Arvin > > Another idea would be to redirect to the form page. So, process the > data if it exists, or redirect the request to the 'proper' from page. > > Regards, > Cam --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-usersgooglegroups.com To unsubscribe from this group, send email to django-users-unsubscribegooglegroups.com For more options, visit this group at htt p://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---

Re: Prevent URLs from being called directly
United States	2007-03-30 15:45:02
On Mar 30, 10:12 pm, "Ian" <ian.terr...gmail.com> wrote: > This situation is greatly helped if the same view displays the form as > well as processes it. So it could look something like this: > > def write_entry(request): > form = EntryForm() > if request.POST: > form = EntryForm(request.POST) > if form.is_valid(): > ... save entry, redirect to new page... > > return render_to_response('entry/write.html', {'form':form}) > > In this way, if they just type it in as a GET, they'll go to the form > page. If they're submitting the form, then it will be validated and > either return to the page with errors, or save the new entry and > redirect to the new page. > > This paradigm isn't valid in all cases, but when it works, it works > well. Very cool. That works perfectly for me. Thanks a lot! Helge --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-usersgooglegroups.com To unsubscribe from this group, send email to django-users-unsubscribegooglegroups.com For more options, visit this group at htt p://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---

[1-7]

about | contact Other archives ( Real Estate discussion Medical topics )