views:

2528

answers:

2

I'm trying to create a redirect in a Django view to an external url with some get parameters attached to the request. After doing some looking around and some trying around, it seems I have hit a road block.

So my view looks something like this

def view(request):
    data = get.data(request)
    if something in data:
        return HttpResponseRedirect('example.com')

This is as far as I was able to get. I know that you in the request url can specify some get parameters like this:

...
return HttpResponseRedirect('example.com?name=smith&color=brown')

However since some of the data is sensitive, I don't want it to end up in the url. Since it's an external url I can't use the redirect() shortcut that accepts views parameters. So pray tell, how does one accomplish such a task?

Edit

After having done some more looking around, and have chatted a bit in IRC, it seems that what I should do, to keep the get parameter away from users, containing payment info, is to send them as post instead. I was told that you should be able to do it by using some JS as well, possibly jQuery. The question still remains though a bit more complicated now. How would one go about creating post redirect in django with the help of javascript?

2nd Edit

Seems like I have been misinformed. Thanx for clearing that up with the redirect protocols DR. Looks like I have been going down the wrong path in my attempt of using redirect to solve this problem.

+2  A: 

GET parameters always go in the URL, that's what makes them GET parameters.

It is not possible to redirect using POST parameters (which don't go in the URL) - this is a restriction of HTTP, not Django.

Daniel Roseman
Does that mean it's not possible to redirect to a payment site/window, without the user being able to see all the data being sent along?
googletorp
+3  A: 

I suggest the following approach. In your Django view/template return form to the browser with all the parameters that you want to post as hidden form elements. As soon as the form loads the JavaScript will submit (POST) form to where ever you want.

View:

from django.shortcuts import render_to_response

def view(request):
    return render_to_response('test.html', { 'foo': 123, 'bar': 456 })

Template:

<html>
<head>
    <title>test</title>
     <script type="text/javascript">
     function load()
     {
          window.document.test.submit();
          return;
     }
     </script>
</head>
<body onload="load()">
<form name="test" method="post" action="http://www.example.com"&gt;
    <input type="hidden" name="foo" value={{ foo }} />
    <input type="hidden" name="bar" value={{ bar }} />
</form>
</body>
</html>
That's a clever way to avoid the redirect. However, this is javascript dependent so would need to make a graceful degradation also. I wonder how smooth this will be in practice though, having to load the page before being able to do the js post.
googletorp
Yes this solution depends on JavaScript being enabled in the browser, but it doesn't mean that you need to do it right on this page. You should check for JavaScript before you even get to your view. So that if it is not enabled then user would not even get this far. As for the loading of the page, it would depend on how quick your view returns, and how big is the result HTML. If you only have a couple fields the rendering of the page I am guessing would be in sub-second time. The redirection itself is quick too, so the user experience with this solution is very similar to a normal redirect.