-1

i have a website developed using django 1.6.0 with python 2.7.5 . In my view.py file i have a method defined which i want to be executed only when request for that view is redirected request from some where. I want to restrict user from executing that view by typing the url.

suppose view.py:

def online_test(request):
   return buy_test_final(request)

urls.py:

url(r'^test$',online_test),

i need to restrict access of online_test method from url.

Sonu kumar
  • 50
  • 5
  • 1
    This may be impossible to do securely unless you provide some proof that the redirecting page was visited, for instance via session data. Why does this view that you do not want people to access directly even have its own URL? – Andrew Gorcester Dec 15 '14 at 19:33

1 Answers1

0

For making that view accessible for only redirected requests, you can check if request.META has HTTP_REFERER or not.

def online_test(request):
    if 'HTTP_REFERER' not in request.META:
        raise Http404

    return buy_test_final(request)

Edit

As Andrew Gorcester has pointed out, in a comment below, that HTTP headers can be manipulated manually. Not only that, someone can simply add a link on any of your website's page by using Chrome's Developer Tools. Like this: <a href="/test/">Test</a>. If he clicks this link, request.META will have HTTP_REFERER, thereby executing that view.

Use the above piece of code carefully, if you must.

xyres
  • 20,487
  • 3
  • 56
  • 85
  • I don't think this will work, because I believe HTTP_REFERER only applies to urls the user clicks and not to 301/302 redirects. For instance, if you visit page B by clicking on a link on page A, and page B redirects to page C, the request at the view handler for page C will show the referer is A. – Andrew Gorcester Dec 15 '14 at 19:31
  • @AndrewGorcester Works for 301/302 redirects. I just checked. – xyres Dec 15 '14 at 19:35
  • 2
    I'm surprised, but okay. In that case, just keep in mind that HTTP headers are trivial to add manually, so this approach shouldn't be used by any security-conscious code. – Andrew Gorcester Dec 15 '14 at 19:42
  • @xyres @Andrew Thanks for answering my query. I thought of this to make `HTTP_REFERER' as verifier for the request. Should i add the ip of the website which user will be redirected to my view. ... e.g **'if request.META['REMOTE_ADDR'] == "ip address of the thrid_party_website":'** – Sonu kumar Dec 16 '14 at 06:05
  • @Sonukumar That won't do any good either. You see, any webpage can be edited easily using *Developer Tools*. So, you can add a link such as `Test` on that third party website's page. Now if you click it, `REMOTE_ADDR` will be that site's IP. Try it yourself. – xyres Dec 16 '14 at 09:02
  • REMOTE_ADDR is the user's IP address, not a referring website's, anyways. If you have control of the referring website, you can have that site hand the user a signed cookie proving they went there; if you do not, then there is literally no way to accomplish this task securely, although if it's not security-critical you could use HTTP_REFERER as above. – Andrew Gorcester Dec 16 '14 at 17:19