Flask - Admin Roles - flask

Someone tell me how to do Administration correctly, how to use roles and how to give access to the admin panel only to the admin,as a rule, make models of the admin class
I have been looking for material for a very long time but there is very little of it

Related

Should i allow user to use the admin panel to upload his blog?

I'm building an app for someone, one of its function is it allowers the owner to upload blogs to the website.
So i'm wondering if i should create a page for uploading blog or just give him staff permission so he can create and upload it through django's admin panel.
I want to know if this is safe or if it will be worth it to create a front-end template for just one person to use.
It all depends on a lot of things but I will say my opinion on some scenarios:
best practices: ya for sure you have to create a full template page with decorators that allow only staff account to access just like the admin, also don't ever depend on the admin panel even if you wanted a dashboard for an admin just create customized admin template, also some developer just remove the default admin panel on deploy, or may be make the end point of the admin panel instead of '/admin' they make something like that 'SAF#saf$%OIL>$/' to hide it for security
If it works leave it : if we are talking here on simple ecommerce app ya its fine just make a staff account for the owner so he could access the admin panel its fine
if you want to add permissions to the owner account use groups and add the account you created for the admin to this group then go to groups table and add what table should users of this group have access to it's totally fine
only make a customized admin panel when you need more functionality and visualization

How to Give Permission in Django?

I am working on Django and I create my Custom Admin Panel, But I want the same functionality of permission like as Django Default admin Panel. I create functionality for the Blog model in my Dashboard, if I log in as a super-admin and I give Normal User to blog view only permission then Normal user should not access add and edit access on my dashboard, Currently normal user also can access add and edit access on the admin panel which I developed.
I added the functionality for Admin and Normal User, if a user is admin then he can access my dashboard otherwise he/she will re redirect on the homepage.
But my problem is, how I can create permission-based functionality on my dashboard, I will give permission from Django default admin panel.
Please let me guide, Does I need to create the same URL's like Django default admin panel or there is another way to solve this issue. it's a very big problem for me please give me the correct solution.
please send if you have any documentation or solution for this.

django staff users manage their own users only

In my Django app a user can register to the site and receive staff_user privileges from the admin.
After that the staff user can create and manage some other users (normal users) using default django admin site.
Now, I would like to let the staff user see and manage only the users he created from the admin site, I don't want him to see other users created by another staff user.
how can I do that? I imagine I need to modify admin.py right?
Don't modify the admin site.
In general, you have the following tools available:
Create groups
Add users to groups
Create custom permissions on your models, to indicate certain actions
https://docs.djangoproject.com/en/1.4/topics/auth/#custom-permissions
However, what you are asking: Now, I would like to let the staff user see and manage only the users he created from the admin site is not possible in django-admin.
The Django-admin site is only intended as a glorified development tool for fully trusted users, not as a customizable app for end users.
If your project requires an admin site with any of the following ...
Customized administraion functionality.
Exposure to any user that is not completely trusted.
... then I'm afraid you have to create your own custom app.
You can replace the stock UserAdmin with your own which overrides queryset() and does the filtering. The bigger issue is what to filter by. The default User model does not store a "created_by" in the model instance. So you would need to add this information whenever a User is added.
How best to do this depends on your Django version.
Django 1.5 introduced a "Configurable User model" which makes this very easy.
https://docs.djangoproject.com/en/dev/releases/1.5/#configurable-user-model
In earlier versions you would either have to monkeypatch the User model, or store that information in a separate "user profile" attached 1:1 to the User.
https://docs.djangoproject.com/en/dev/topics/auth/customizing/#extending-the-existing-user-model
Regarding the trusting of users (which wasn't a topic but I feel the need to comment on thnee's answer) in the Django admin, check out the links in my answer here: Should I use Django's Admin feature?

I'm having difficulty working out how to do permissions for my Django models? (not admin)

I have a range of models for my Django project. Everyone with a login has a Profile. A Profile will have certain permission access to the different parts of the website... Be able to view or edit certain accounts in the Account model. Be able to view or edit certain accounts in the Module model. Be able to delete or be blocked from accessing other Profiles. etc. People with Profiles do not access the normal Django built-in admin, it's all a custom website-side area where all of this stuff will take place.
Django's built in permissions stuff didn't seem to cover this sort of module/row level permissions. I was thinking of having a simple Permissions model with Profile and Permission Type foreign keys in them. Then all the things I want to be accessable only by Profiles with permissions will have a many to many to this Permissions model. But I'm not sure that's how to go about it?
What is an ideal way of doing permissions for the profiles to restrict access to rows of other models?
Check out Florian Apolloner's Django Advent post on Object Permissions. I found it to be a decent way of doing object-level permissions.

Django admin- constrain visibility of models and model instances based on who logged in

Using the django admin, I would like to be able to specify which models a user sees when he logs in. For a stretch goal, for each model types a user can see, I would like to specify a filter to limit which instances of the model the user can see.
Could someone please provide a pointer for how to go about achieving this?
You can specify which models the user can see and manipulate using the admin itself. You can do this when you're logged in as a superuser.
Regarding your stretch goal, a simple answer is detailed here.
Take a look at group-level permissions in the Admin (scroll down). Django 1.2 has introduced hooks for object-level permissions too