I am developing a personal blog using Django (to learn).
I want to be the only user that is allowed to post there.
However, I want to allow people to comment on my posts, when they do not register but (not sure of the correct terminology here) log in via their Google etc account to place a post.
How is this functionality called?
How can I achieve this in Django? Do I need to still save the user credentials etc into the database? Do I still need to have a Comment model (I think so)?
Related
I am building a website where you can keep your private portfolio, logs, etc using Django.
All courses, documentation, I came accross so far give all users the possibility to view all entries made by all users (e.g. blog, posts etc.). However I want to restrict any user from viewing & READING other users' data.
How can this be best achieved? Is there an extension available? I know that django doesn't have row-level permissions, but there are extensions for that available such as Django-rules.
In my case however I want restrict a user from viewing other users' data. In other words, a user can only see his/her porfolio and is also not in any way able to CHANGE, UPDATE, DELETE any entries which is not its own.
I found that django-guardian does the job.
Django has an authentication and authorization scheme baked in ('django.contrib.auth') as well as modelforms to generate forms for easy input of data into the database.
I'd like to be able to record who created a record, leveraging django.contrib.auth, with the explicit purpose of limiting editing of that same record to just that user and/or people with an "edit" permission. I know that I could use the #user_passes_test decorator to restrict access to editing my record in some fashion, but I don't know what I would compare the request.user.name to in order to determine if the current user originally created that record.
How much of this do I need to roll on my own? Do I need to capture the name author, save it to the model, and then read it - or is there something already in the framework that would do this for me?
And, if I was to attempt to save the author in a field, how would I go about doing that in such a way as to not let the user edit their own credentials?
There are a couple of apps to do something similar, please check https://www.djangopackages.com/grids/g/model-audit/
About the last questions, to prevent the user not to edit its own credentials, you can mark the field with editable=False so it wont appear in the admin or ModelForms.
For a website that is using django zinnia blog, I need the possibility to, beyond authors using the admin to create articles, to have a limited way for non-admin users to create blog entries, in their own specific area, with limited functionality (e.g. preset category, all entries start as draft etc..)
Now I was wondering if I could just create an own small ui for it and create Entries programatically in a django view (not in admin)... (with authors in those cases being non-admin users) ...
Is there any reason why this would be a very bad idea, or is this something that would really break things in Zinnia ?
Thanks in advance
Cheers
Thomas
I've done one part of this a few months ago. The client found the admin interface too complicated and wanted something simpler. I created view/templates that allowed users to add/edit blog entries - There were no major issues.
That said, this was still for admin users - there may be permission issues or hidden assumptions in zinnia that users are admins. I doubt there would be much trouble overcoming them - it's a nicely written app with decent interfaces.
I can show you some code if you're interested.
I'm building a Django-based review website where public users create all of the content on the site. Users create reviews for given items and they also create the items themselves that will be reviewed (providing a description and brief summary of the item, along with a few tags).
My question is this: Should I be using Django's admin features for this website (as in, exposing admin controls to the public users)? Or should I just stick with normal forms? I'm not too familiar with the admin-aspect of Django, and so far I've just been using forms for the website, but I've seen a lot of people talking about Django's admin features, and I'm starting to wonder if I should be using them.
Thanks for any feedback!
Maybe. If the admin functionality covers most of what you want to offer, there's no reason why you shouldn't use it as a starting point.
django.contrib.admin is an application like any other, and provides basically a CRUD interface to your models. Access can be controlled via groups/permissions, just like you would for an application you write yourself. You can give full access to a model with a one-liner, but obviously will have to configure properly when opening up to others.
See also my question
Django AdminSite/ModelAdmin for end users?
and similar questions Exposing django admin to users. Harmful? and How to make Django admin site accessed by non-staff user?
Regarding arguments about the "intended use" of the admin, please note Django's security update at the end of last year: http://www.djangoproject.com/weblog/2010/dec/22/security/ regarding querystring parameters in object lists. Such an update (quote: "an attacker with access to the admin [...]") is a clear indication that the admin's implementation of the permission system is being constantly scrutinized.
No. The django admin is not intended for any end-user.
The django admin feature is intended to assist the website developer, and that is all. Even usage by site administrators is contra-indicated, although in practice most small sites get away with it since they're only talking a few people who can call on the developer personally if they get into trouble.
For your purposes, the review items and the workflow in creating the items is a critical part of your application feature set. The admin will give you ideas, but it would be a mistake to attempt to build your application upon it.
I wouldn't expose the admin interface to regular users. You can use the authentication and user-management side (for your purposes), but it's usually best practice to give users a separate way to manage their objects. You also don't run as much of a risk of granting the wrong privileges to users (or allowing them to grant their own).
Have a read though the docs if you want a better overview about what it can do.
Either my google searching has completely left me or there's hardly any documentation/tutorials for django-socialregistration. Too bad, because it seems like a nice enough app. Through some trial-and-error, I have managed to get it mostly running on my site.
My question, using django-socialregistration how do I request permission for the facebook user's full name, current city and date of birth and store it in my UserProfile table (which is my AUTH_PROFILE_MODULE for django-profiles) in Django upon registration? Also, how do I post to the user's wall from Django once the connection is made?
Currently, when I click the "Connect with Facebook" button the facebook connection is made, a new Django user is created and the user is logged in with that Django account. However, no UserProfile is created and no facebook profile data is saved.
Any facebook connect gurus out there want to help the Django pony fly to Facebookland?
Setup:
- Django 1.2.1
- Python 2.5.2
- django-socialregistration 0.4.2
- django-registration 0.7
- django-profiles 0.2
"Kind sir, can you please help me find the magical Facebookland?"
In facebook_js.html you need to adjust the following line, by uncommenting items that you need to get from FB:
FB.login(handleResponse/*,{perms:'publish_stream,sms,offline_access,email,read_stream,status_update,etc'}*/);
Then, in FacebookMiddleware you can extract that data from fb_user, like this:
facebook.GraphAPI(fb_user['access_token']).get_object('me')
FWIW, I just found this moderately helpful nugget from the app author buried in the "Issues" section on github:
question from "tolano":
I have a profile model associated with the users, and everytime the user is created the profile should be created also. Should we create a new custom setup view for this purpose?
I'm finding several problems because the documentation is poor. Thank you very much.
answer from "flashingpumpkin":
Yes. Ideally you'll overwrite the setup view with your own. An easier method to adjust what is done on user creation is to pass a custom form into the setup view. You'll do that by overriding the standard url.
Here's another relevant nugget (source: http://github.com/flashingpumpkin/django-socialregistration/issues/closed#issue/7) Enough of these and this page will become the de facto django-socialregistration documentation ;)
question from "girasquid":
Maybe I'm just missing something, but I'm stuck here - is there a way to 'connect' accounts on other sites to an already-existing user?
For example, I've already signed up on Really Awesome Website, so I don't need to sign up again - but I'd like to connect my Facebook and Twitter accounts so that I can sign in with those as well.
Is there a way to do this already? If there isn't...how would I do it?
answer from "flashingpumpkin":
Yes there is. Just use the same template tags for Facebook Connect as you would for registration. Depending on if the user is already logged in or not it will create just the FacebookProfile object and link it to the existing user - or create both, the User object and the FacebookProfile object.
Have a look here:
http://github.com/flashingpumpkin/django-socialregistration/blob/master/socialregistration/templates/socialregistration/facebook_button.html
and
http://github.com/flashingpumpkin/django-socialregistration/blob/master/socialregistration/templatetags/facebook_tags.py