Working on a project that is powered by Django. Problem is I can't seem to find the way how to authenticate user without giving him access to the admin interface at the same time. I've read through numerous articles and tutorials about how Django handles authenticating visitors of the website and they all seem to go through creating user in admin and build a separate view for visitors to see where they're presented with login form to fill out.
They don't seem to address the problem what if the user finds out that the website is built in Django, types "/admin hits enter and then just types in his/her credentials and vuala random visitor is in admin interface which isn't good at all ?
From the docs for is_staff
Boolean. Designates whether this user can access the admin site.
Related
I want make sign up and login on the base of their role there admin can add users and approved the request of other two user so that they can login.When user click on the sign up the user see sign up page accorading to their roll and same for login .
Django implements a pretty decent authentication framework inside it, so you already have things such as Users, Groups and Permissions to work on. All of those being managed easily by the admin page.
What you want to do is to assign a set of groups/permissions to a newly created user to determine its role and then build a frontend that manages the different kind of users in terms of templates. If you want an user to have itself validated before start using your page, refer to the is_active attribute of the User object.
Read for more information:
https://docs.djangoproject.com/en/2.2/topics/auth/default/#user-objects
I have a workspace in which I have many applications based on the same schema.
Every applications has his own login page at the moment.
I want to build another application responsible for the login of all the other applications.
The login will redirect the user to a main page that will show the links to the different modules (applications) based on the user type.
Note that only the ADMIN user can see the links to all the applications.
Different types of user will see only the links to the apps that they are authorized to access.
I read other related posts, I know I have to change the cookie name for all the app I want to share the authentication.
But my question is:
If I login successfully with a user different from the ADMIN, I am still able to access all the applications via URL, even if their link is not visible in my main page.
How can I prevent this?
Check out the use of authorisation schemes (see under Shared Components).
If you had an authorisation scheme per application you check on each page so that if the current user was authorised that application. Don't forget that each authorisation scheme would also allow users who have ADMIN access.
Hope this helps.
Just had another thought. Check out this post http://www.explorer-development.uk.com/securing-vulnerability-exploits-apex-part-2/ by Craig Sykes.
Activating Session State Protection and using Checksums would prevent a number of issues for you.
I am developing an application using Django 1.4. When I log into admin site in another tab in the browser, the application interface in which I am already logged in automatically logs out. Please help me in solving this issue. The browser I am using is Firefox. Thanks in advance.
Admin is also a user in django. So, you can't have more than one user logged in at the same time in the same browser, can you? Try the same scenario on facebook. This is what it is. You re fine, there's no problem.
On the side note, if you are just getting started with your project use Django 1.5.
Well you cannot log into the same website with different login ids simultaneously until and unless you dont use some plugins for this feature or you are opening different ids in the incognito window.
Since admin is a superuser(still a user), hence you cannot open a multiple django accounts in the same browser. One account will be logged out in order to open the other one. This is no issue. Happy coding.
The Django admin site is just another page of your Django main website. Say if you have foo.com, then foo.com/admin/ shows you the admin portal.
And we already know that two users cannot be simultaneously logged in to the same website from the same browser.
So, you can test on your foo.com site, being an admin user itself. Experience on the Django website for any user will be same, it doesn't change with user being a staff member or superuser. Only admin site has different permissions based on these factors.
In this case, you'll be able to use both the main site, as well as admin portal.
But if you really want to use different user accounts for admin site and main site, then you should either use different browsers or Private window in Firefox.
I am trying to integrate django sanction into my blog app (django newbie here), but I seem not to be able to "logout" the user after the login process (using Google OAuth2.0).
The entire process seems pain free - i.e I am able to get all user details on my db, and able to access user details on my django templates, but, when I logout and try to log back in, it seems to remember my credentials (cookies?). I am trying to logout from here
p.s: I am developing on localhost - wondering if this is the problem(?)
See here: How to force user logout in django?
quote:
I don't think there is a sanctioned way to do this in Django yet.
The user id is stored in the session object, but it is encoded. Unfortunately, that means you'll have to iterate through all sessions, decode and compare...
Im developing a google app engine and django based site and i'm tring to figure out what's
the best approach to solve the problem, the site requirments are as follows:
There must be a super administrator who's only task is to create second level administrators and assign them to a group.
Second level administrators can create regular users and those users are assigded to the same group from the admin that created them.
Regular users don't do much besides login and logout.
I've been reading and i think i can solve 1 with the (login: admin) GAE feature for app.yaml.
I don't want to use google accounts neigther openid because second level admins are
the only allowed to create users.
For 3. Is it possible to use django session utility to handle regular users ?
I'd appreciate suggestion for a particular point or the whole thing.
For 1:
login:admin in app.yaml will prevent users that are not associated with your GAE project from visiting that URL or set of URLs. Any user associated with your GAE production project is an admin. You can create additional filtering inside the application by confirming the username that they are currently logged in with.
from google.appengine.api import users
user = users.get_current_user()
email = user.email()
For 3:
I am not sure, we ended up rolling our own.