4

I have a Django application with two models: the first one is django.contrib.auth.User and the second one is Product, created by me.

For every product I would add the comments, so every User registered can insert a comment for every product.

I've see there's django.contrib.comments, but probably it's for the blog-like sites, where's every user can leave a comment also if they're not registered. I would a comment form with only the textarea for write the comment and the user is automatically setted to request.user.

Should I write the comments system from scratch?

Fred Collins
  • 5,004
  • 14
  • 62
  • 111

2 Answers2

5

What you've described sounds extremely simple, and perfect for Django's in-built comment app. Just because it allows anonymous users to comment doesn't mean that's a requirement, you can easily prevent anonymous users from commenting by simply not displaying the comment form for non-authenticated users.

You should run through this example of using the in-built comment app: https://docs.djangoproject.com/en/dev/ref/contrib/comments/example/

I think you'll find it does everything you need, has additional features you might not have thought of (spam protection) and will save you a lot of time building something from scratch.

rolling stone
  • 12,668
  • 9
  • 45
  • 63
  • And how can I remove URL/first name/last name etc fields? – Fred Collins Jul 15 '11 at 23:15
  • I believe you're referring to the fields in the comment form (let me know if I'm mistaken). You can add your own comment form (`form.html`) with the fields you'd like to use to the `templates/comments/` directory. You can actually check to see if the user is logged in here before displaying the form, else show them a link to log in or sign up. – rolling stone Jul 15 '11 at 23:31
  • See the 'related' ;) http://stackoverflow.com/questions/2393237/how-to-extend-the-comments-framework-django-by-removing-unnecesary-fields – markijbema Jul 16 '11 at 00:59
  • 2
    Not rendering the form does not prevent it from being processed on a POST request. You must check for that in your view: `if method == "post" and user.is_authenticated(): foo()`. (this is mitigated if your Django installation uses CSRF tokens) A logged-out user who is aware of the structure of your form could post anonymous comments on your blog via hand-crafted POST requests. Also, if a user was previously logged-in but did not refresh the page after logging out, submitting a comment would publish it as from an anonymous user. – sleblanc Mar 21 '13 at 03:22
  • Link for version 1.6: https://docs.djangoproject.com/en/1.6/ref/contrib/comments/example/ – Liran Orevi Jul 09 '14 at 22:45
  • What you say is true. CSRF tokens help a bit, but they still don't stop anonymous users from posting comments in all cases, since anonymous users usually can get a CSRF token. – Flimm Jan 06 '16 at 16:27
0

The built-in Django comments module is for any model that you want to enable comments on. See here: https://docs.djangoproject.com/en/1.3/ref/contrib/comments/

tatlar
  • 3,080
  • 2
  • 29
  • 40