Would like to use Mezzanine for our Associations Website

153 views
Skip to first unread message

Christian Bahls

unread,
Mar 22, 2012, 3:02:14 PM3/22/12
to Mezzanine Users

Dear Everybody

my name is Christian Bahls, i am chairperson of MOGiS e.V.
- a Victims Rights Advocacy group (of victims of sexual child abuse)

i would like to use Mezzanine for a redesign of our Website.

for this we have a few requirements that seem a little more difficult
to implement.

as i am completely new to Mezzanine
i would need some pointer into the right direction
- perhaps some examples as working code

1st)
we need some sort of comment (pre-)moderation
our Websites currently gets about 200 Spam Messages a Day
(which akismet quite nicely puts into a Spam Folder)
Disqus is not a solution for us, as we are dealing with sensible
topics
and also our audience is very privacy sensitive

Captchas could be a solution for this
Also User registration and premoderation could help

2nd)
for user account generation
we would like to use
a) a captcha
and
b) a confirmation link sent via email

3rd)
for the form module it would help a captcha was selectable
as an input method

As i mentioned Capthas a few times:
For the moment simple-captcha would do it
This is protection against script kiddies
A determined cracker will always find a way


I would be very grateful if you could share a short how-to,
some example code and other useful resources with me
on the 3 points mentioned above

kind Regards

Christian Bahls

Josh Cartmell

unread,
Mar 23, 2012, 11:57:33 AM3/23/12
to mezzani...@googlegroups.com
Hi Christian and welcome to Mezzanine.  I will try to briefly address some of your questions.

1) The only way comments work currently is through Disqus or the built in comments which allow anonymous commenting.  With the build in comments you can set this setting: http://mezzanine.jupo.org/docs/configuration.html?highlight=settings#comments-default-approved which could make all comments be unapproved by default and then someone would have to manually approve comments.  With the volume of spam you mentioned I could imagine that being challenging.  It may be worth spending some time looking into Akismet integration for Mezzanine, and possibly even contributing it back to the project!

2) I don't think the built in Mezzanine account management covers these but you could certainly use django-registration and integrate django-simple-captcha.  I've also been interested in checking out django-userena.org/ which may work well for your registration needs.  Alternatively you could add the required functionality to Mezzanine.

3) I'm not sure what you are asking here.  Could you give a little more explanation of what you are trying to do?

Regards,
Josh

Christian Bahls (Gmail)

unread,
Mar 23, 2012, 12:05:34 PM3/23/12
to mezzani...@googlegroups.com
What i would need is that somebody tells me where to go (eg which file, what function/view) and tie in simple-captcha (for comments and also for registration)

and perhaps additionally where he or she thinks askismet could be best integrated in the flow of comments 

similar for the integration of sending confirmation links for newly created accounts

I just would need to be pointed to a few places to start (working on the code),
because at the moment i am completely lost (although i have been doing django before)

yours
 Christian
--
I moved away from Google Mail - please use my qb352.de email address

Christian Bahls (Gmail)

unread,
Mar 22, 2012, 3:31:24 PM3/22/12
to Mezzanine Users
for those of you who though TL;DR:

A) Akismet Integration would be the best solution,
  has anybody ever tried it and got it working?

B) Has anybody got some sort of captcha working
  with the way Forms are implemented in Mezzanine?

Christian
--
I will be moving away from Google Mail -
please contact me using my qb352.de email address

Stephen McDonald

unread,
Mar 23, 2012, 10:45:12 PM3/23/12
to mezzani...@googlegroups.com
Yes you can certainly use another app for signups like django-registraton which I believe handles verification by email. Mezzanine's account signup feature currently doesn't include this, by you don't have to use it. Take a look at the docs for django-registration here: http://django-registration.readthedocs.org/en/latest/quickstart.html

I think you could solve your spam problem for comments and forms with akismet, which could probably be implemented entirely separately from Mezzanine using middleware. Take a look at the middleware docs for Django, and a quick Google search will reveal samples of using akismet with Python:


Seems like it'd be possible for you to get up and running right now with a little elbow grease, please don't hesitate to dive in. You've got a much better chance at receiving the best help if you've taken the time to try things and are hitting very specific problems.

That aside, what do people think about adding these to Mezzanine? 

- Extend the signup form to handle field for a profile model if defined: https://docs.djangoproject.com/en/dev/topics/auth/#auth-profiles
- Add a bool setting for email verifications for signups, which if True sends an email (can use the new send_mail_template function to template these) with a verification URL. Would need to add a model for registration keys (could use uuid4 for these) and have a setting for specifying the expiry for them.
- Add askimet handling for comments and mezzanine.forms - would just need a new setting for specifying the akismet account setting.

Seems to me like these would be very useful, commonly required, and lightweight enough to develop. So they pass all the ticks for inclusion, and could form a good set of features for the eventual 1.1 release.
--
Stephen McDonald
http://jupo.org

Gary Reynolds

unread,
Mar 23, 2012, 11:11:10 PM3/23/12
to mezzani...@googlegroups.com
On Saturday, 24 March 2012 at 1:45 PM, Stephen McDonald wrote:
- Add a bool setting for email verifications for signups, which if True sends an email (can use the new send_mail_template function to template these) with a verification URL. Would need to add a model for registration keys (could use uuid4 for these) and have a setting for specifying the expiry for them.
Assuming you're going to be only targeting the auth.User model, so I'd take a look at django.contrib.auth.tokens.default_token_generator.

To generate the token when sending the email:

    from django.contrib.auth.tokens import default_token_generator
    token = default_token_generator.make_token(user)

And to verify it in the view:

    from django.contrib.auth.tokens import default_token_generator
    default_token_generator.check_token(user, token)

The built in password reset uses this pattern, and includes the user's primary key in the url. Should be easier to do this than add another model to the database.

As for expiry, it checks agains settings.PASSWORD_RESET_TIMEOUT_DAYS which I think is reasonable. You could always subclass django.contrib.auth.tokens.PasswordResetTokenGenerator if you wanted to adjust things.

Gary

Stephen McDonald

unread,
Mar 23, 2012, 11:15:49 PM3/23/12
to mezzani...@googlegroups.com
Oh nice, I wasn't across any of those. Thanks Gary.

Christian Bahls (Gmail)

unread,
Mar 24, 2012, 9:09:48 AM3/24/12
to mezzani...@googlegroups.com
Dear Stephen

of course your are right that showing more effort will get me a better response
i can fully sympathize with this notion, especially if seen from a
developers perspective

of course i will follow the leads from this email thread to implement
what i need ..
.. even if it probably will become some half assed bug ridden
implementation of it

but i also want to share a little of my point of view

i want to be a mezzanine user not a mezzanine developer

i run this not so insignificant cute little organisation in my spare time
additionally of course i have a full time job that pays my rent and
the activism.

My main objective is to get the project website running (until april 2nd)
i will of course use the tool that gets the jobs done fastest
and will give the best result in the long run
(also in terms of maintenance burden)

The reason for me to choose Mezzanine
was the nice integration of Bootstrap 2.0

Making a lot of changes to my installation that will probably clash
with future upstream Mezzanine is just not an option for me

As an end-user i need solutions that more or less work out of the box

So I applaud the suggestion to target basic functionality like
* captcha form validation
* email account verification
* akismet integration
for the 1.1 release

I would be more than willing to beta test such changes

kind regards
Christian

(i will now try to find out,
how http://django-registration.readthedocs.org/en/latest/quickstart.html
integrates with mezzanine)

--
I moved away from Google Mail - please use my qb352.de email address

Stephen McDonald

unread,
Mar 24, 2012, 9:40:00 AM3/24/12
to mezzani...@googlegroups.com
Sorry I didn't mean to imply you should be working on Mezzanine itself, the end of my email was directed at everyone on the mailing list.

What I meant by diving in was with regard to developing your own site. Hopefully you've got some good leads now to get you started there.

Josh Cartmell

unread,
Mar 24, 2012, 7:03:40 PM3/24/12
to mezzani...@googlegroups.com
I like the ideas mentioned and think they would make nice additions to Mezzanine's capabilities.  I think the email verification and profile fields would be especially useful as those are fairly common requirements for projects.

Christian:
As far as integrating django-registration, I think you can just do it and there shouldn't be any special Mezzanine considerations.  Just make sure you haven't set the Mezzanine setting ACCOUNTS_ENABLED to True (it is false by default).

Stephen McDonald

unread,
Mar 28, 2012, 4:23:22 PM3/28/12
to mezzani...@googlegroups.com
First crack at the email verification for new accounts is here:


There's a new setting ACCOUNTS_VERIFICATION_REQUIRED which when True, will create new users as inactive, send them an email with a verification link, which when clicked, will activate their account. Email templates are included for the verification email, as well as a template for storing its subject line.

Christian Bahls (Gmail)

unread,
Mar 28, 2012, 4:51:23 PM3/28/12
to mezzani...@googlegroups.com
Wow, impressive! :)

Now if a user could select a Username so he does not get identified with his emails in comments :)

something in the line of:
+        user = User.objects.create_user(self.cleaned_data["username"],
+                                        self.cleaned_data["email"],
+                                        self.cleaned_data["password"])

and some corresponding template form :)

Stephen McDonald

unread,
Mar 28, 2012, 7:28:09 PM3/28/12
to mezzani...@googlegroups.com
I've also fixed this issue in as much as the comments now show the name entered for the comment, not the username if there's a user associated:

Christian Bahls (Gmail)

unread,
Mar 28, 2012, 9:05:53 PM3/28/12
to mezzani...@googlegroups.com
Well .. the email-adress becomes the username when the user get first created if i understand it correctly :)

kind regards Christian

Stephen McDonald

unread,
Mar 28, 2012, 9:08:31 PM3/28/12
to mezzani...@googlegroups.com
That's right - the other side of the problem was that the username would always be shown for a comment if the commenter was logged in at the time, regardless of what they enter into the "name" field for the comment. That's the part I've changed.

Stephen McDonald

unread,
Mar 31, 2012, 10:16:35 AM3/31/12
to mezzani...@googlegroups.com
Akismet integration is in now: https://github.com/stephenmcd/mezzanine/commit/d5fd33359d7d3bccc6ca7f2e7db6a3c3bdc2d043

There's a new setting AKISMET_API_KEY which when set will pass all comments and forms built with mezzanine.forms through the Akismet API for spam filtering.

Christian Bahls

unread,
Mar 31, 2012, 4:53:05 PM3/31/12
to mezzani...@googlegroups.com, Stephen McDonald
Hey, super cool :)

--- Ursprüngl. Mitteilung ---
Von: Stephen McDonald
Gesend.: 31.03.2012, 16:16
An: mezzani...@googlegroups.com
Betreff: Re: [mezzanine-users] Would like to use Mezzanine for our Associations Website

Christian Bahls (Gmail)

unread,
Apr 3, 2012, 11:46:30 AM4/3/12
to mezzani...@googlegroups.com
while browsing through recent changes in upstream mezzanine

i see that the csrf-tokens have been removed from a few places in the comment section of the blog

has there been a different mechanism implemented against csrf in the comment functionality?

yours
  Christian

Stephen McDonald

unread,
Apr 3, 2012, 7:52:46 PM4/3/12
to mezzani...@googlegroups.com
You'll see in the same commit that these were moved into the includes/form_fields.html template:

Reply all
Reply to author
Forward
0 new messages