From 4f0e1ec1c2772904c033f747dc38a08223e8d661 Mon Sep 17 00:00:00 2001 From: Peter Bengtsson Date: Thu, 15 Jul 2021 13:42:10 -0400 Subject: delete pages that were never translated from en-US (es, part 2) (#1550) --- .../django/django_assessment_blog/index.html | 307 --------------------- .../django/web_application_security/index.html | 176 ------------ 2 files changed, 483 deletions(-) delete mode 100644 files/es/learn/server-side/django/django_assessment_blog/index.html delete mode 100644 files/es/learn/server-side/django/web_application_security/index.html (limited to 'files/es/learn/server-side/django') diff --git a/files/es/learn/server-side/django/django_assessment_blog/index.html b/files/es/learn/server-side/django/django_assessment_blog/index.html deleted file mode 100644 index cb5ac7ad88..0000000000 --- a/files/es/learn/server-side/django/django_assessment_blog/index.html +++ /dev/null @@ -1,307 +0,0 @@ ---- -title: 'Evaluación: DIY Django mini blog' -slug: Learn/Server-side/Django/django_assessment_blog -translation_of: Learn/Server-side/Django/django_assessment_blog ---- -
{{LearnSidebar}}
- -
{{PreviousMenu("Learn/Server-side/Django/web_application_security", "Learn/Server-side/Django")}}
- -

En esta evaluación usarás el conocimiento de Django que has adquirido en el módulo Framework Web Django (Python) para crear un blog muy básico.

- - - - - - - - - - - - -
Requisitos Previos:Before attempting this assessment you should have already worked through all the articles in this module.
Objetivo:Comprender los fundamentos de Django , incluidos las configuraciones de URL , modelos, vistas, formularios y  templates.
- -

Resumen del proyecto

- -

Las paginas que necesitan ser mostradas, sus URLs, y otros requisitos son listados debajo: 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
PaginaURLRequisitos
Home page/ and /blog/Una pagina inicial que describa el sitio
Lista de todos las publicaciones del blog/blog/blogs/ -

Lista de todos las publicaciones del blog:

- -
    -
  • Accessible to all users from a sidebar link.
  • -
  • List sorted by post date (newest to oldest).
  • -
  • List paginated in groups of 5 articles.
  • -
  • List items display the blog title, post date, and author.
  • -
  • Blog post names are linked to blog detail pages.
  • -
  • Blogger (author names) are linked to blog author detail pages.
  • -
-
Blog autor (blogger) pagina de detalles/blog/blogger/<author-id> -

Information for a specified author (by id) and list of their blog posts:

- -
    -
  • Accessible to all users from author links in blog posts etc.
  • -
  • Contains some biographical information about the blogger/author.
  • -
  • List sorted by post date (newest to oldest).
  • -
  • Not paginated.
  • -
  • List items display just the blog post name and post date.
  • -
  • Blog post names are linked to blog detail pages.
  • -
-
Blog post detail page/blog/<blog-id> -

Blog post details.

- -
    -
  • Accessible to all users from blog post lists.
  • -
  • Page contains the blog post: name, author, post date, and content.
  • -
  • Comments for the blog post should be displayed at bottom.
  • -
  • Comments should be sorted in order: oldest to most recent.
  • -
  • Contains link to add comments at end for logged in users (see Comment form page)
  • -
  • Blog posts and comments need only display plain text. There is no need to support any sort of HTML markup (e.g. links, images, bold/italic, etc).
  • -
-
List of all bloggers/blog/bloggers/ -

List of bloggers on system:

- -
    -
  • Accessible to all users from site sidebar
  • -
  • Blogger names are linked to Blog author detail pages.
  • -
-
Comment form page/blog/<blog-id>/create -

Create comment for blog post:

- -
    -
  • Accessible to logged-in users (only) from link at bottom of blog post detail pages.
  • -
  • Displays form with description for entering comments (post date and blog is not editable).
  • -
  • After a comment has been posted, the page will redirect back to the associated blog post page.
  • -
  • Users cannot edit or delete their posts.
  • -
  • Logged out users will be directed to the login page to log in, before they can add comments. After logging in, they will be redirected back to the blog page they wanted to comment on.
  • -
  • Comment pages should include the name/link to the blogpost being commented on.
  • -
-
User authentication pages/accounts/<standard urls> -

Standard Django authentication pages for logging in, out and setting the password:

- -
    -
  • Login/out should be accessible via sidebar links.
  • -
-
Admin site/admin/<standard urls> -

Admin site should be enabled to allow create/edit/delete of blog posts, blog authors and blog comments (this is the mechanism for bloggers to create new blog posts):

- -
    -
  • Admin site blog posts records should display the list of associated comments inline (below each blog post).
  • -
  • Comment names in the Admin site are created by truncating the comment description to 75 characters.
  • -
  • Other types of records can use basic registration.
  • -
-
- -

In addition you should write some basic tests to verify:

- - - -
-

Note: There are of course many other tests you can run. Use your discretion, but we'll expect you to do at least the tests above.

-
- -

The following section shows screenshots of a site that implements the requirements above.

- -

Screenshots

- -

The following screenshot provide an example of what the finished program should output.

- -

List of all blog posts

- -

This displays the list of all blog posts (accessible from the "All blogs" link in the sidebar). Things to note:

- - - -

List of all blogs

- -

List of all bloggers

- -

This provides links to all bloggers, as linked from the "All bloggers" link in the sidebar. In this case we can see from the sidebar that no user is logged in.

- -

List of all bloggers

- -

Blog detail page

- -

This shows the detail page for a particular blog.

- -

Blog detail with add comment link

- -

Note that the comments have a date and time, and are ordered from oldest to newest (opposite of blog ordering). At the end we have a link for accessing the form to add a new comment. If a user is not logged in we'd instead see a suggestion to log in.

- -

Comment link when not logged in

- -

Add comment form

- -

This is the form to add comments. Note that we're logged in. When this succeeds we should be taken back to the associated blog post page.

- -

Add comment form

- -

Author bio

- -

This displays bio information for a blogger along with their blog posts list.

- -

Blogger detail page

- -

Steps to complete

- -

The following sections describe what you need to do.

- -
    -
  1. Create a skeleton project and web application for the site (as described in Django Tutorial Part 2: Creating a skeleton website). You might use 'diyblog' for the project name and 'blog' for the application name.
  2. -
  3. Create models for the Blog posts, Comments, and any other objects needed. When thinking about your design, remember: -
      -
    • Each comment will have only one blog, but a blog may have many comments.
    • -
    • Blog posts and comments must be sorted by post date.
    • -
    • Not every user will necessarily be a blog author though any user may be a commenter.
    • -
    • Blog authors must also include bio information.
    • -
    -
  4. -
  5. Run migrations for your new models and create a superuser.
  6. -
  7. Use the admin site to create some example blog posts and blog comments.
  8. -
  9. Create views, templates, and URL configurations for blog post and blogger list pages.
  10. -
  11. Create views, templates, and URL configurations for blog post and blogger detail pages.
  12. -
  13. Create a page with a form for adding new comments (remember to make this only available to logged in users!)
  14. -
- -

Hints and tips

- -

This project is very similar to the LocalLibrary tutorial. You will be able to set up the skeleton, user login/logout behaviour, support for static files, views, URLs, forms, base templates and admin site configuration using almost all the same approaches.

- -

Some general hints:

- -
    -
  1. The index page can be implemented as a basic function view and template (just like for the locallibrary).
  2. -
  3. The list view for blog posts and bloggers, and the detail view for blog posts can be created using the generic list and detail views.
  4. -
  5. The list of blog posts for a particular author can be created by using a generic list Blog list view and filtering for blog object that match the specified author. -
      -
    • You will have to implement get_queryset(self) to do the filtering (much like in our library class LoanedBooksAllListView) and get the author information from the URL.
    • -
    • You will also need to pass the name of the author to the page in the context. To do this in a class-based view you need to implement get_context_data() (discussed below).
    • -
    -
  6. -
  7. The add comment form can be created using a function-based view (and associated model and form) or using a generic CreateView. If you use a CreateView (recommended) then: -
      -
    • You will also need to pass the name of the blog post to the comment page in the context (implement get_context_data() as discussed below).
    • -
    • The form should only display the comment "description" for user entry (date and associated blog post should not be editable). Since they won't be in the form itself, your code will need to set the comment's author in the form_valid() function so it can be saved into the model (as described here — Django docs). In that same function we set the associated blog. A possible implementation is shown below (pk is a blog id passed in from the URL/URL configuration). -
          def form_valid(self, form):
      -        """
      -        Add author and associated blog to form data before setting it as valid (so it is saved to model)
      -        """
      -        #Add logged-in user as author of comment
      -        form.instance.author = self.request.user
      -        #Associate comment with blog based on passed id
      -        form.instance.blog=get_object_or_404(Blog, pk = self.kwargs['pk'])
      -        # Call super-class form validation behaviour
      -        return super(BlogCommentCreate, self).form_valid(form)
      -
      -
    • -
    • You will need to provide a success URL to redirect to after the form validates; this should be the original blog. To do this you will need to override get_success_url() and "reverse" the URL for the original blog. You can get the required blog ID using the self.kwargs attribute, as shown in the form_valid() method above.
    • -
    -
  8. -
- -

We briefly talked about passing a context to the template in a class-based view in the Django Tutorial Part 6: Generic list and detail views topic. To do this you need to override get_queryset() (first getting the existing context, updating it with whatever additional variables you want to pass to the template, and then returning the updated context. For example, the code fragment below shows how you can add a blogger object to the context based on their BlogAuthor id.

- -
class SomeView(generic.ListView):
-    ...
-
-    def get_context_data(self, **kwargs):
-        # Call the base implementation first to get a context
-        context = super(SomeView, self).get_context_data(**kwargs)
-        # Get the blogger object from the "pk" URL parameter and add it to the context
-        context['blogger'] = get_object_or_404(BlogAuthor, pk = self.kwargs['pk'])
-        return context
-
- -

Assessment

- -

The assessment for this task is available on Github here. This assessment is primarily based on how well your application meets the requirements we listed above, though there are some parts of the assessment that check your code uses appropriate models, and that you have written at least some test code. When you're done, you can check out our the finished example which reflects a "full marks" project.

- -

Once you've completed this module you've also finished all the MDN content for learning basic Django server-side website programming! We hope you enjoyed this module and feel you have a good grasp of the basics!

- -

{{PreviousMenu("Learn/Server-side/Django/web_application_security", "Learn/Server-side/Django")}}

- -

 

- -

En este modulo

- - diff --git a/files/es/learn/server-side/django/web_application_security/index.html b/files/es/learn/server-side/django/web_application_security/index.html deleted file mode 100644 index e00a1771bb..0000000000 --- a/files/es/learn/server-side/django/web_application_security/index.html +++ /dev/null @@ -1,176 +0,0 @@ ---- -title: Seguridad de las aplicaciones web Django -slug: Learn/Server-side/Django/web_application_security -translation_of: Learn/Server-side/Django/web_application_security ---- -
{{LearnSidebar}}
- -
{{PreviousMenuNext("Learn/Server-side/Django/Deployment", "Learn/Server-side/Django/django_assessment_blog", "Learn/Server-side/Django")}}
- -

Proteger los datos de los usuarios es una parte esencial de cualquier diseño de un sitio web. Previamente ya explicamos algunas de las amenazas de seguridad más comunes en el artículo Seguridad Web — este artículo proporciona una demostración práctica de cómo las protecciones integradas de Django gestionan estas amenazas.

- - - - - - - - - - - - -
Prerrequisitos:Lee la documentación de la Programación del Lado del servidor "Seguridad de la aplicación web de Django". Completa todos los temas del Tutorial de Django (incluyendo este) o por lo menos el Tutorial de Django Parte 9: Trabajar con formularios web.
Objetivo:Comprender las cosas principales que debes hacer (y las que no debes) para proteger su aplicación web de Django.
- -

Overview

- -

The Website security topic provides an overview of what website security means for server-side design, and some of the more common threats that you may need to protect against. One of the key messages in that article is that almost all attacks are successful when the web application trusts data from the browser.

- -
-

Important: The single most important lesson you can learn about website security is to never trust data from the browser. This includes GET request data in URL parameters, POST data, HTTP headers and cookies, user-uploaded files, etc. Always check and sanitize all incoming data. Always assume the worst.

-
- -

The good news for Django users is that many of the more common threats are handled by the framework! The Security in Django (Django docs) article explains Django's security features and how to secure a Django-powered website.

- -

Common threats/protections

- -

Rather than duplicate the Django documentation here, in this article we'll demonstrate just a few of the security features in the context of our Django LocalLibrary tutorial.

- -

Cross site scripting (XSS)

- -

XSS is a term used to describe a class of attacks that allow an attacker to inject client-side scripts through the website into the browsers of other users. This is usually achieved by storing malicious scripts in the database where they can be retrieved and displayed to other users, or by getting users to click a link that will cause the attacker’s JavaScript to be executed by the user’s browser.

- -

Django's template system protects you against the majority of XSS attacks by escaping specific characters that are "dangerous" in HTML. We can demonstrate this by attempting to inject some JavaScript into our LocalLibrary website using the Create-author form we set up in Django Tutorial Part 9: Working with forms.

- -
    -
  1. Start the website using the development server (python3 manage.py runserver).
  2. -
  3. Open the site in your local browser and login to your superuser account.
  4. -
  5. Navigate to the author-creation page (which should be at URL: http://127.0.0.1:8000/catalog/author/create/).
  6. -
  7. Enter names and date details for a new user, and then append the following text to the Last Name field:
    - <script>alert('Test alert');</script>.
    - Author Form XSS test -
    -

    Note: This is a harmless script that, if executed, will display an alert box in your browser. If the alert is displayed when you submit the record then the site is vulnerable to XSS threats.

    -
    -
  8. -
  9. Press Submit to save the record.
  10. -
  11. When you save the author it will be displayed as shown below. Because of the XSS protections the alert() should not be run. Instead the script is displayed as plain text.Author detail view XSS test
  12. -
- -

If you view the page HTML source code, you can see that the dangerous characters for the script tags have been turned into their harmless escape code equivalents (e.g. > is now &gt;)

- -
<h1>Author: Boon&lt;script&gt;alert(&#39;Test alert&#39;);&lt;/script&gt;, David (Boonie) </h1>
-
- -

Using Django templates protects you against the majority of XSS attacks. However it is possible to turn off this protection, and the protection isn't automatically applied to all tags that wouldn't normally be populated by user input (for example, the help_text in a form field is usually not user-supplied, so Django doesn't escape those values).

- -

It is also possible for XSS attacks to originate from other untrusted source of data, such as cookies, Web services or uploaded files (whenever the data is not sufficiently sanitized before including in a page). If you're displaying data from these sources, then you may need to add your own sanitisation code.

- -

Cross site request forgery (CSRF) protection

- -

CSRF attacks allow a malicious user to execute actions using the credentials of another user without that user’s knowledge or consent. For example consider the case where we have a hacker who wants to create additional authors for our LocalLibrary.

- -
-

Note: Obviously our hacker isn't in this for the money! A more ambitious hacker could use the same approach on other sites to perform much more harmful tasks (e.g. transfer money to their own accounts, etc.)

-
- -

In order to do this, they might create an HTML file like the one below, which contains an author-creation form (like the one we used in the previous section) that is submitted as soon as the file is loaded. They would then send the file to all the Librarians and suggest that they open the file (it contains some harmless information, honest!). If the file is opened by any logged in librarian, then the form would be submitted with their credentials and a new author would be created.

- -
<html>
-<body onload='document.EvilForm.submit()'>
-
-<form action="http://127.0.0.1:8000/catalog/author/create/" method="post" name='EvilForm'>
-  <table>
-    <tr><th><label for="id_first_name">First name:</label></th><td><input id="id_first_name" maxlength="100" name="first_name" type="text" value="Mad" required /></td></tr>
-    <tr><th><label for="id_last_name">Last name:</label></th><td><input id="id_last_name" maxlength="100" name="last_name" type="text" value="Man" required /></td></tr>
-    <tr><th><label for="id_date_of_birth">Date of birth:</label></th><td><input id="id_date_of_birth" name="date_of_birth" type="text" /></td></tr>
-    <tr><th><label for="id_date_of_death">Died:</label></th><td><input id="id_date_of_death" name="date_of_death" type="text" value="12/10/2016" /></td></tr>
-  </table>
-  <input type="submit" value="Submit" />
-</form>
-
-</body>
-</html>
-
- -

Run the development web server, and log in with your superuser account. Copy the text above into a file and then open it in the browser. You should get a CSRF error, because Django has protection against this kind of thing!

- -

The way the protection is enabled is that you include the {% csrf_token %} template tag in your form definition. This token is then rendered in your HTML as shown below, with a value that is specific to the user on the current browser.

- -
<input type='hidden' name='csrfmiddlewaretoken' value='0QRWHnYVg776y2l66mcvZqp8alrv4lb8S8lZ4ZJUWGZFA5VHrVfL2mpH29YZ39PW' />
-
- -

Django generates a user/browser specific key and will reject forms that do not contain the field, or that contain an incorrect field value for the user/browser.

- -

To use this type of attack the hacker now has to discover and include the CSRF key for the specific target user. They also can't use the "scattergun" approach of sending a malicious file to all librarians and hoping that one of them will open it, since the CSRF key is browser specific.

- -

Django's CSRF protection is turned on by default. You should always use the {% csrf_token %} template tag in your forms and use POST for requests that might change or add data to the database.

- -

Other protections

- -

Django also provides other forms of protection (most of which would be hard or not particularly useful to demonstrate):

- -
-
SQL injection protection
-
SQL injection vulnerabilities enable malicious users to execute arbitrary SQL code on a database, allowing data to be accessed, modified, or deleted irrespective of the user's permissions. In almost every case you'll be accessing the database using Django’s querysets/models, so the resulting SQL will be properly escaped by the underlying database driver. If you do need to write raw queries or custom SQL then you'll need to explicitly think about preventing SQL injection.
-
Clickjacking protection
-
In this attack a malicious user hijacks clicks meant for a visible top level site and routes them to a hidden page beneath. This technique might be used, for example, to display a legitimate bank site but capture the login credentials in an invisible <iframe> controlled by the attacker. Django contains clickjacking protection in the form of the X-Frame-Options middleware which, in a supporting browser, can prevent a site from being rendered inside a frame.
-
Enforcing SSL/HTTPS
-
SSL/HTTPS can be enabled on the web server in order to encrypt all traffic between the site and browser, including authentication credentials that would otherwise be sent in plain text (enabling HTTPS is highly recommended). If HTTPS is enabled then Django provides a number of other protections you can use:
-
- - - -
-
Host header validation
-
Use ALLOWED_HOSTS to only accept requests from trusted hosts.
-
- -

There are many other protections, and caveats to the usage of the above mechanisms. While we hope that this has given you an overview of what Django offers, you should still read the Django security documentation.

- - - -

Summary

- -

Django has effective protections against a number of common threats, including XSS and CSRF attacks. In this article we've demonstrated how those particular threats are handled by Django in our LocalLibrary website. We've also provided a brief overview of some of the other protections.

- -

This has been a very brief foray into web security. We strongly recommend that you read Security in Django to gain a deeper understanding.

- -

The next and final step in this module about Django is to complete the assessment task.

- -

See also

- - - -

{{PreviousMenuNext("Learn/Server-side/Django/Deployment", "Learn/Server-side/Django/django_assessment_blog", "Learn/Server-side/Django")}}

- -

En este módulo

- - -- cgit v1.2.3-54-g00ecf