Django: ajax response for valid / accessible username / email during registration
I am using jQuery to do some inline form validation during user registration to prevent post-post form errors by checking if:
- username available
- email not registered yet
The idea is to give the user feedback before the form is submitted to avoid frustration. The code is at the bottom.
Questions:
- Is this a potential security issue? I had the thought that someone looking at my javascript could find the url I'm sending the request to to validate the username and email and then use it myself (I don't know why they would do this, but nobody knows).
- If so, what protections can I implement? I've read a bit about cross-site scripting protection but don't know how this can be implemented in an AJAX request, for example, or if it's even necessary.
Thanks for your input.
Current code:
I've defined the following view (which I took from some snippet, but can't remember where):
def is_field_available(request):
if request.method == "GET":
get = request.GET.copy()
if get.has_key('username'):
name = get['username']
if User.objects.filter(username__iexact=name) or \
UserProfile.objects.filter(display_name__iexact=name):
return HttpResponse(False)
else:
return HttpResponse(True)
if get.has_key('email'):
email = get['email']
if User.objects.filter(email__iexact=email):
return HttpResponse(False)
else:
return HttpResponse(True)
return HttpResponseServerError("Requires username or email to test")
Here's some jQuery code example:
$.get('is-user-name-available/', { email: $(this).val() },
function(data, status){
if(data == "True"){
$input.fieldValid();
} else {
$input.fieldInvalid("This email address has already been registered. Try another or recover your password.");
}
});
Edit: updated the code and rephrased my questions. [ 10/07/09 ]
source to share
See http://www.djangosnippets.org/snippets/771/ - you can restrict your view to ajax requests. The only way to do cross domain ajax is with jsonp , which you don't support in your view.
source to share
Yes, this is a potential security issue, but not too big: just make sure your code is safe and always returns something that doesn't reveal information that should be hidden.
There is nothing wrong with someone typing in the browser: example.com/account/verify_username/?username=admin (although I would suggest using POST only here)
So what you need to do: 1) Make sure that all the parameters you need and they are in the correct format 2) Perhaps check where the request came from 3) Make sure you handle any exceptions that might happen in your code 4) Don't forget about unit testing - for that try to put your logic NOT in a view, but in some method :)
source to share