I am using the django form for a quiz. The quiz has different question types such as multiple choice dropdown, or single or multiple input fields. I can handle the difference in questions as long as I could resolve other areas.
I would like to pass on the question id or the answer, so that it could be checked after submission.
I would also like to capture the time the user spends on the question page from the moment entered the page until the submission.
All these are also taking place in a single URL (one view that captures the answer, saves the accuracy and time, and passes back a different question).
I only need a few keywords so that I could search and work towards achieving above. Many thanks.
You can record the time the page was rendered for the GET and then compare that to the time when the POST is submitted.
I’m not quite sure I’m following what you’re trying to say here.
In the typical case, something like the question ID is going to be a url parameter, and the answer would be supplied as POST data in the form.
But basically, everything you’re asking for here is pretty standard for any web application.
You never want to rely upon data being provided by the browser. It’s too easy to fudge it from the client side. For something like this, the only reliable method is to acquire the time from the server.
That is indeed the risk, on the plus side you have more control and it is a bit more precise. Like start the timer after the whole page has loaded.
Also is the timer to record how long the user took to give an answer or a countdown timer for how long the user has to answer the question?
If possible fraud is an issue then indeed you should always at least have a check in the backend.
Thank you very much @KenWhitesell and @dennisvd .
With regard to the time, I have to use both methods. I am recording the time in model to calculate user performance, this time must be reliable.
I also have a end_time for each question in my model, the page will prompt the user to move on from the question after certain time. As far as I understand, this would have to be implemented using JS.
@KenWhitesell my main problem still remains as my intention is not to have the question id etc in the URL. I know this is not conventional. Is there a possibility of passing hidden parameter?
My other thought was to register the question id on a database with a flag (question sent) and on return of the POST, check the database for recent entry with the flag. Is this practical?
Why is this a concern? (It shouldn’t be.) Nothing ever sent to the browser is truly hidden.
I think you’re wasting a lot of mental energy on a non-issue.
thanks @KenWhitesell I get your point and I have spent many hours searching about what to do. Unless there is something related to database, nothing can be hidden as you mentioned.
If you worry that user will guess the url of other questions you can add another field value like a slug to the url. This will make it much more difficult to guess urls of other questions. You can find info on slugs in the official Django documentation.
If you for example want a unique url for a question you can create a uuid for each record and use that in the url instead of the pk.
This technique is for example used to share urls with non-users without others or web-crawlers being able to guess the url.
In addition to the suggestions above, you can also create a security framework such that each user can only access a specific id under certain conditions.
This adds the additional benefit that Person A would be unable to send any arbitrary URL to Person B and have Person B access it.
@dennisvd and @KenWhitesell thank you so much.
Yes, I am worried about someone trying new random ids on the url.
for example if they see /q/654/ they could try /q/758
I have now created views with dynamic urls, but above still a worry.
After user answers a question, they are forwarded to /s/654 url where they can learn about what went wrong and receive help on that specific topic.
The same worry is there if user rather than submitting the answer, they could just change the url to see the solution.
Many thanks for the direction @dennisvd I am familiar with the uuid and I may need to have two uuid fields for each question, one for the question itself and one for the solution.
@KenWhitesell I will investigate this, the advantage is certainly important. Is there a simple solution to disallow access to a page unless the user comes through as a result of redirect on a post method in a different view class?