tags:

views:

32

answers:

2
+3  Q: 

Django, restrict access to registration success page.

This is something I've wondered about in a couple of frameworks that I've messed around with. Assuming I don't want to automatically log a user in when they register (I want them to activate) how can I make it so a user can't just visit the "register-success" page? Right now, here's what I have:

def register(request):
    if request.method == 'POST':
        rf = forms.RegisterForm(request.POST)#register form
        pf = forms.ProfileForm(request.POST)#profile form (additional info)
        lf = forms.LoginForm()#login form is also on this page but is empty when registering
        if rf.is_valid() and pf.is_valid():
            newuser = User(username=rf.cleaned_data['username'],email=rf.cleaned_data['email'])
            newuser.set_password(rf.cleaned_data['password'])
            newuser.save()
            #need to mark newuser as inactive still
            profile = pf.save(commit=False)
            profile.user = newuser
            profile.save()
            return HttpResponseRedirect("/register-success/")
        return render_to_response("authentication/index.html", {'rform': rf, 'pform':pf,'lform':lf})
    return main(request)

def register_success(request):
    return render_to_response("authentication/register-success.html")

My url-conf:

(r'^register-success/$','register_success'),

The other way I thought to do it was to just render_to_response("authentication/register-success.html") and not do the redirect. The benefit is, no one can access the register-success.html page, the downside is if the user refreshes the page it will try and resubmit the POST. What's the best practice?

+1  A: 

You can set the cookie, a session key in register view that you can check for in the register_success view only on its presence render the page, else redirect to main register.

Lakshman Prasad  2010-08-23 18:36:19
+1  A: 

I would stick with the redirect, getting duplicate users is a fairly large risk. What is the risk of someone seeing your register success page who hasn't registered? If there is a risk, you could always generate a random token, put it in session and pass it to your register-success page and then in your view check that the token matches. But that seems like a lot of work for what typical success pages are.

My recommendation would be to not worry about people being able to get to that page without registering. If it is just static HTML, there can't be any risk with showing to to everybody, right?

Matthew J Morrison  2010-08-23 18:36:50
It's static now but maybe it won't be. I'm just writing a basic web-app at the moment, thinking about how people deal with things.On the other hand, my registration form checks to make sure that a user doesn't already exist before allowing a registration so if the user does resubmit, they will just be taken back to the registration page with a "User already exists" error message on their form.
JPC  2010-08-23 18:46:51
Just a tip, don't spend too much of your project's time on things like this that you "might" need someday, focus on getting your project complete with the things that you DO need now. You can always revisit and re-factor to add features like this. If there is no risk now, I wouldn't code anything for it. If there will be risk in the future, add this functionality at that point.
Matthew J Morrison  2010-08-23 18:53:17
Yes I would agree, but seeing as this project is just my own personal exploration of django I figured I'd ask (and maybe learn a few tips like this one!)
JPC  2010-08-23 19:17:48

related questions

Django: Print url of view without hardcoding the url
Django Calendar Widget?
Can the HTTP version or headers affect the visual appearance of a web page?
Project design / FS layout for large django projects
Extending the User model with custom fields in Django
How to generate urls in django
Always including the user in the django template context
Screencasts for Django/Python?
Using Django time/date widgets in custom form
How do I add data to an existing model in Django?
Setup django with WSGI and apache
Altering database tables in Django
Django Templates and variable attributes.
Django ImageField core=False in newforms admin
How can I render a tree structure (recursive) using a django template?
Cleanest & Fastest server setup for Django
Unicode vs UTF-8 confusion in Python / Django?
Does Hostmonster support Django
Specifying a mySQL ENUM in a Django model
Represent Ordering in a Relational Database
updating an auto_now DateTimeField in a parent model w/ Django
Version track, automate DB schema changes with django
Learning Ruby on Rails any good for Grails?
What Hosting Service is best for Django applications?
Class views in Django