I created custom authentication, every user from table users can login to the app.
How can I restrict user if user has READ_ONLY role, that can only read app page and can't edit?
I have tables:
users(id, login_name, password),
roles(role_id, rname),
user_roles-junction table (users-roles),
privileges(id, pname),
role_privileges-junction table (roles and privleges)
You can control what a user can do in the app through authorisation schemes. It is not possible to make an entire app read only, so what you could to is the following. Suppose you have 2 authorisation schemas: READ_ONLY and EDIT. All the EDIT/SAVE/SUBMIT buttons and their corresponding page processes you then restrict to the edit authorization scheme. That way a user with READ_ONLY and not EDIT will only see the reports and forms but not be able to change any data.
Related
I have a requirement regarding authorizations such that if user is Admin/Editor, user can read/write page.
If user is visitor , he can read only the same page.
I created authorization scheme IS_ADMIN where exists sql query:
select 1 from users where role_id in(select role_id from roles where name ='Admin')
Now i applied this authorization scheme on page.
In Read only, i selected function body,plsql and write:
If apex_authorized.is_authorized ('IS_ADMIN')
RETURN FALSE
ELSE RETURN TRUE;
END IF;
I applied this assuming this would make the page read only for the user which is not admin.
But because of the authorization scheme and error message that i set, i am simply getting error when i log in with visitor role. The same error message that i gave for authorized scheme.
What is the best way to apply multi authorization scheme in this case?
Apex: 20.2
One way to solve this is to create a security model that is based on roles and responsibilities (as done in ERP systems). A role is granted to a user (eg ADMIN, VISITOR, etc) and a responsibility is linked to application functionality (eg VIEW_EMP, EDIT_EMP). Responsibilities are then granted to roles or to other responsibilities. The authorization schemes are created on the responsibilities (the app is unaware of the roles).
Example for an EMP form: requirement is that VISITOR can see data and ADMIN can edit data
Create responsibilities: VIEW_EMP and EDIT_EMP and matching authorization schemes.
Role VISITOR has responsibility VIEW_EMP.
Responsibility EDIT_EMP has responsibility VIEW_EMP (so that whoever has EDIT_EMP automatically gets VIEW_EMP).
Role ADMIN has responsibility EDIT_EMP.
In the form you set the auth scheme of the page to VIEW_EMP and the auth scheme of CREATE/SAVE/DELETE button and DML Page process to EDIT_EMP.
So when a user with VISITOR comes to the form he gets the data but the buttons are hidden. When an ADMIN comes to the screen he sees all.
It sounds like you want the authorization scheme to be IS_ADMIN_OR_VISTOR which would return true if the user was either an admin or a visitor. That allows both admins and visitors to access the page. Your read-only logic would then mean that visitors would see the page as read only and admins would see the page as editable.
Im trying to handle a use case where i have 2 roles. (admin , customer)
There will be an admin portal and a customer portal (2 different login pages ).
An admin can invite a customer
An admin can be a customer as well , can invite himself into the customer portal
An admin account must not share the same password as the customer account.
Email is used as the unique field for both admin and customer account.
For example :
Admin account
- customer#email.com /password1
- List item
Customer account
- customer#email.com /password2
Solution 1:
- Permission. Having 1 account with admin permission and customer permission.
(This cant work to fit the bussiness use case)
Based on this article:
https://simpleisbetterthancomplex.com/tutorial/2018/01/18/how-to-implement-multiple-user-types-with-django.html
Solution 2:
- Creating 2 django projects. One for each user model since both accounts cant share password. The reason for separating into 2 projects is because resources such as session,login, logout will not be shared. So each portal(admin,customer) has their own resource.
A create Customer API to allow admin to create a customer account in customer django project.
A shared db to share related data
This is the only way i can think of to handle the use case. Please let me know if anyone has a better idea to handle this.
Try setting the username field to the email first, if you want the user to log in via email, otherwise remember that the username is how the user logs in. Next, create a profiles app. In this app, create a profile model that will have an OneToOne relation with the Django user model (You can call the profile model via. user.profile). In this profile model, you can create a Boolean Field that distinguishes between a customer and an admin. This way when the user logs in, you can check there profile and render the appropriate template. Another way you can do this is via the Groups model already built-in, create 2 groups one for admin, and another for the customer, you can have when the customer registers to be set automatically as a customer, and admins only to be created to the Django admin or a separate portal if you choose.
I want make sign up and login on the base of their role there admin can add users and approved the request of other two user so that they can login.When user click on the sign up the user see sign up page accorading to their roll and same for login .
Django implements a pretty decent authentication framework inside it, so you already have things such as Users, Groups and Permissions to work on. All of those being managed easily by the admin page.
What you want to do is to assign a set of groups/permissions to a newly created user to determine its role and then build a frontend that manages the different kind of users in terms of templates. If you want an user to have itself validated before start using your page, refer to the is_active attribute of the User object.
Read for more information:
https://docs.djangoproject.com/en/2.2/topics/auth/default/#user-objects
My use case is to implement something like a messaging form, allowing an administrator to write a message, then send it to group that they will filter from a list of users, from the User model. This is similar to the messaging to usergroups functionality in Joomla! so it's not too weird a use case.
So my admin page for the "Message" model would need to contain the Message creation form and a second recordset of site Users, which could be filtered down to those who the administrator wishes to contact.
Is this kind of thing possible in Django Admin, or do I need to dip into heavily customising an admin page?
I need this login screen http://getbootstrap.com/examples/signin/ to the client (user)
and standard Admin screen for the back-office (manager or director, for example).
The first screen, which is for the client (user) allows it to choose and buy your products on the site,
and the second is the normal Admin.
Question: I use two screens login or one with restricted permissions?
How would these permissions? Remember that the client (user) can not enter the Admin.
Are you asking how to create a login form? Or how to restrict access to admin pages for regular clients?
If you want to create you own login form then use the built-in authentication views from django.contrib.auth.
Restricting admin access is simple - if you register the user with is_staff property set to False then he/she will not able to use admin.