One of my user complained that whenever he tried to add a new user (auth.User) using the default admin interface (Django's admin), the new username and password would get automatically filled with his own.
The problem is he asked Firefox to remember his username/password when he logs in. Is there any way I can prevent Firefox from trying to autofill when not on the login page? I don't really understand what critera Firefox looks at when trying to autofill. The URL is obviously not the same; does it rely only on the domain name and the names (or IDs) of the html fields?
Looking at the answer here, it appears as though you can add an attribute to your form
autocomplete="off"
This should prevent FireFox from autofilling the form in the admin. I'm pretty new to Django, but I imagine that you would need to copy & customize the specific template in the admin where you want this behavior in order to add this attribute.
Related
I am writing a simple web page, which shows some widgets based on user permission. If user has EDIT permission, the page renders EDIT widget else EDIT widget doesn't shows up.
What is the best way to achieve this?
I, first called a service to get logged in user's permission and then set visibility: none or block based on the permission. But, I see that user can "inspect element" on browser and set visibility accordingly. However, on server-side, I am using #PreAuthorize annotation on DAO to control the user actions.
How to control visibility of UI widgets without user being able to make changes, maybe from server side?
Update : I am looking for JSTL equivalent in GWT
AFAIK there is no JSTL equivalent for GWT.
However there are some 3rd party (i.e. ArcIS) libraries that make display/hiding UI elements based on user permissions more convenient.
However no matter whether you do it manually or using a library you should make sure that you properly secure your backend side (as far as I can tell you are doing that by using method level security).
One important thing to remember when dealing with client side permissions/security:
You should never trust input/actions from the client/browser, because you are not in control of it. So you must always do security on the backend
In my opinion, it really does not matter if the user could theoratically inspect the edit button for example using Browser Dev Tools and make it visible, as long as the the edit action on the backend is properly secured. If you are really that concerned you can remove the elements (i.e edit button) from the DOM instead of hiding it, but it won't make it more secure.
I, first called a service to get logged in user's permission and then
set visibility: none or block based on the permission.
Well instead of setting the visibility none or block, assuming you are using JSP, use JSTL tag
<c:if test="${if the user has permission}">Show widget UI code</c:if>
If the page has n widgets for which the user doesn't has permission, why would you load the code for all the n widgets. It's non performant.
write a panel that shows it's contents based on security settings in the client code
add the widgets to be controlled inside the security panel
the panel will now control the appearance of the children based on security in your client code
As has been mentioned before, and has been recognized by you, client security is only visibility control and thus not sufficient to protect the app.
I have a Google Doc spreadsheet, which I created a native Form for. I copied the form code, and integrated it into my own page here.
This form was working until I gave the website owner permission to view the spreadsheet.
Since then, when we hit submit, it takes us to the native form page, and does not insert form data into the spreadsheet. (You're welcome to test the form.)
Should providing viewing permissions to the spreadsheet break my own version of the form?
Did you set permissions via docs.google.com? If so then no it should not have changed anything. I got all the way through the form to "Attending
Your response has been recorded." Is this what you are getting as well or do you have a backend error?
If it is not a backend error and I was able to get somewhere you couldt I would suggest clearing your browser chache and possibly resetting your router as sometimes they hold a cache of older versions of a website.
Did the current form of yours manage to work this before? I mean. It is shown that in the native form the questions are text boxes. While in your GUI form, it had radio buttons and check boxes, since you are calling the native post back url?
Can anyone help. I have created a small WP7 and its working the way i want it to.
It always asks the user for username and password to enter the application, I also have a button called "Remember Settings", if this is checked the next time the application is loaded i would like it to login autoamtically hence the user will not see the login screen and it will bypass this view and load another.
I need some way to load 1 xaml is the user credentials don't exist or are not valid and another the main app xaml if credential exists and are valid.
It appears that the loading of the page is hardcoded in the manifast. As you can see i am loading my LoginPage.
<Tasks>
<DefaultTask Name ="_default" NavigationPage="LoginPage.xaml"/>
</Tasks>
SO what would my best way of accomplishing this, I thought of changing creating xaml (entance file) where i could check in the constructor of my VIEWMODEL if the credentials exists etc and then do a navigateTo another page. But this feels like code smell..
Can anyone help with advise or examples of the best way of accomplishing this.
I am actually using MVVM Light but things should be pretty much the same?
Thanks in advance
You can do by storing user credentials in ISOLATED STORAGE of windows phone 7. Once User checks remember settings or credentials checkbox then you save these settings in isolated storage. And Next Time As Your Application Launches And Suppose Your Default Page is "MainPage.XAML". Then On This Page OnPageNavigated Event Check For User Settings. If Settings There Then Redirect To User on Other View (Logged View). Otherwise User Will Be On MainPage.xaml. And Logout Button You Can Clear These Settings..
Here is Good Example Here For ISOLATED Storage.
http://msdn.microsoft.com/en-us/library/ff769510%28v=vs.92%29.aspx
http://go.microsoft.com/fwlink/?LinkID=229120 (Example Code)
http://www.windowsphonegeek.com/tips/all-about-wp7-isolated-storage--intro-to-isolated-storage
Hope this will help you. :)
Try storing the username, password, authtokens or any other value which you need to check for authentication in settings.
On opening of login page, check the value of your token from settings in the OnNavigatedTo method. If its not null, it means user is already logged in, then you can redirect him to you Home screen else show the login page and ask him to enter the credentials.
Also don't forget to save the settings on app exit. Check this link below for further help
http://msdn.microsoft.com/en-us/library/ff769510(v=VS.92).aspx
On Logout, clear the tokens in the settings page
We have a requirement where support for different users in different tabs of a browser window. How can we achieve this in Spring 2.5? The application is based on Users, where users will have their own agents and articles. An internal user should be able to login to different user accounts in different tabs at same time and manipulate their data. Any help is much appreciated.
A browser's cookie store does not distinguish between different windows or tabs when deciding what cookies to send. So a cookie based approach won't help.
My suggestion for an alternative would be to have a hidden "userName" parameter that is passed back and forth as a URL query parameter for all requests from a given tab or window. You could finesse the setting of the parameter in browser requests by using some Javascript to add a hidden parameter to each of the HTML forms in the page just loaded. The parameter value would be snarffed from the query string of the current page URL. You'd just need to make sure that all pages included stuff in the header to load the JS and run it when the page load completed.
Generally speaking, no, because all of the tabs within the browser window share the same cookies.
One way to do it would be use multiple domain names all pointing at the same app. Each domain name would have its own set of cookies. You would need to have some way of switching to a new domain name after you open a new tab.
How about, have a set of bookmark toolbar bookmarks, each corresponding to a different domain name. Control-click on the bookmark and it opens in a new tab. You could provide the users links in your navigation to the different domains that they can drag onto their toolbar.
Depending on what browsers your users are using you could get even slicker - in some browsers Javascript window.open() opens a new tab. You could have the JS compute the new domain name before the window.open().
Is there a way to make Firefox or any other browsers remember values in ajax login forms?
I suggest checking that you dont have password remember settings for the site in question set to "never". Some sites also disallow remembering passwords explicitly in their form tags. In such cases, if you really want the form to remember the login (Such as if you are testing the site and regularly log in using the same credentials), It may be possible to write a bookmarklet to remember the details for you. (You could save the bookmarklet in your bookmarklets toolbar)