I have an Angular v5 application backed by Django REST Framework.
Previously the application was totally relying on Django templates.
Now, I'm using Angular and it is not clear to me how permissions are should be managed.
The application has different sections. Regarding the product section, the permissions can be summed up as follow:
Course grain permissions
Can the user see a product?
Can the user change a product?
Can the user delete a product?
Can the user create a product?
Fine grain permissions
Can the user see product SKU?
Can the user see product pricing?
...
Fine-grained permissions are very important because there're users that can see the product list where on Angular has been implemented as a table, but few users cannot see certain columns.
My question is how I can handle permissions on Django and Angular?
Permissions on Django
How to design fine-grained permissions on Django and change the serializers accordingly?
Permissions on Angular
My idea was, when the user logs in, Angular got from backend all user permissions and then Angular will change the view accordingly.
Anyway, I don't think this is a safe solution since permissions can easily manipulated by the user from JS console.
What's usually the best practice for this?
Related
We have merchants with campaigns in our project. Currently, we - as superuser - manage all merchants' campaigns. However, some merchants require access to campaign management so that they can control the process and set new campaigns themselves.
There is a possibility to create the second admin site and set permissions so that only merchants can log in. However, what we need is - to filter only the campaigns owned by logged in merchant and also, when creating a new one the merchant_id should be prefilled and readonly.
Is it possible to do it using the second django admin site or should I create a special frontend interface for this purpose? Is it possible to set permissions per user-object pair (in django admin)?
Edit: I found django-guardian https://github.com/django-guardian/django-guardian/blob/devel/README.rst that should be able to do what I need.
I want make sign up and login on the base of their role there admin can add users and approved the request of other two user so that they can login.When user click on the sign up the user see sign up page accorading to their roll and same for login .
Django implements a pretty decent authentication framework inside it, so you already have things such as Users, Groups and Permissions to work on. All of those being managed easily by the admin page.
What you want to do is to assign a set of groups/permissions to a newly created user to determine its role and then build a frontend that manages the different kind of users in terms of templates. If you want an user to have itself validated before start using your page, refer to the is_active attribute of the User object.
Read for more information:
https://docs.djangoproject.com/en/2.2/topics/auth/default/#user-objects
I'm new to Django so I have some questions that might seem basic to you. I'm looking to create a platform that is open to both individuals and companies and I'm trying to design the user auth for an API that runs on DRF. I need to provide mobile platform access so I'm thinking of using OAuth via django-oauth-toolkit. Having difficulty understanding:
Should I separate the login flow into a separate app? How do I know when I should spin up a separate app?
Do I manage the profiles via the built in admin area? Is this secure for production environments?
Should I separate individual profiles and company profiles into separate apps or just models extending the Base User?
How do I allow the individual profiles to link their logins to social media accounts with django-allauth while storing extra information like birthday/name etc regardless of which mode of login?
Thanks!
This is my point of view.
No need to separate the app. You can manage all the profiles from
Django admin.
It is secure for production environments, django not allow to see
its credentials or password to anyone, its encrypted.
You can create UserProfile model and use django user as Foreignkey
in this. You can able to add extra field like in this way. OR you
can extends the User model of Django admin.
Its just a suggest, you do whatever you feel reliable or easy way.
I am working on a project which needs a separate admin interface. The django admin interface is for the super super user, there will be companies who will sign up for our app and then they will have their own admin interface. Everything is set and done despite the permission. We want model level permission that's what Django provides.
What I did is:
class CompanyGroup(models.Model):
name = models.CharField(max_length=254)
permissions = models.ManyToManyField(Permissions)
Now this list all the permissions of the site itself. So, Should I start working on my own permission app or I can modify django Permissions to provide object level permissions for only some models.
Thanks
Try one of the several existing 'row level' / 'per object' permissions apps for Django:
http://django-guardian.readthedocs.org/en/v1.2/
http://django-object-permissions.readthedocs.org/en/latest/
...there are probably others, those are just the first two in Google
We are using django-guardian in current project at work, seems fine.
I am assuming that you need to control access to sub-sets of each model's objects, depending on which company the current user belongs to (i.e. you don't want people from Company A to see items from Company B). For this reason you need row level permissions.
You probably also need to limit the permissions of all 'company users' to only certain actions:
You do not need to create a CompanyGroup class.
Instead just enable the admin site, log in as super user and create a django.contrib.auth.models.Group which contains the global permissions applicable to company users.
then ensure when you create any new company user logins that they are added to that Group
I have a range of models for my Django project. Everyone with a login has a Profile. A Profile will have certain permission access to the different parts of the website... Be able to view or edit certain accounts in the Account model. Be able to view or edit certain accounts in the Module model. Be able to delete or be blocked from accessing other Profiles. etc. People with Profiles do not access the normal Django built-in admin, it's all a custom website-side area where all of this stuff will take place.
Django's built in permissions stuff didn't seem to cover this sort of module/row level permissions. I was thinking of having a simple Permissions model with Profile and Permission Type foreign keys in them. Then all the things I want to be accessable only by Profiles with permissions will have a many to many to this Permissions model. But I'm not sure that's how to go about it?
What is an ideal way of doing permissions for the profiles to restrict access to rows of other models?
Check out Florian Apolloner's Django Advent post on Object Permissions. I found it to be a decent way of doing object-level permissions.