Our team at 18F is working on requirements to obtain an Authority to Operate (ATO). We use Wagtail for our CMS and we currently have the need to log Admin actions. Django should provide this functionality (and should write logs to the table django_admin_log). However it seems that Wagtail is not logging any Admin actions to that table. We really need this capability, is there a configuration we are missing to make this happen, or is a code change/modification needed. Thanks for any assistance.
At the moment, Wagtail do not record user's activity in the admin UI, but there is a feature request for this.
You can submit a pull request to add this functionality, if you wish.
Related
I am struggling to find good info on setting up auth for a web page. I need it to have three levels of access.
ADMIN, which can control everything i.e. allowing the other levels to exist.
Editor, which can see the posts made in a backend situation. Editors will have to be approved by the ADMIN.
Authors, who can put, read and delete (only their own posts).
I don't want the authors to have to wait to make posts on the site. But Editors and ADMINS need to be approved. I feel that making a separate site for Editors and ADMINS is the solution to this.
Can anyone point me in the right direction concerning this?
Questions I need to be answered:
How Do I set up the three levels?
Is there one login that the ADMIN has to view and approve? I need it to be secure but not CAPTCHA or MFA Secure. I know AWS and Amplify uses Cognito which is fine. I would prefer to not use a Social provider login. Just an email login.
Since this website will require a database (S3 bucket) for the info that will be uploaded by the authors, will the login info be stored in a different database (DynamoDB for instance)?
I want to use Amplify, Next.js, and AWS.
Sites I have been reading and I'm sure have the answer but I am not seeing.
https://docs.amplify.aws/cli/auth/overview/
https://nextjs.org/docs/authentication
https://next-auth.js.org/providers/cognito
I'm still a complete newbie on Django, so now I'm a little bit lost on what I could do to structure my server to suit my needs.
The situation is like this: my Django admin could be accessed by the admin and multiple users. Each user can add multiple item to the server, and the server will only allow them to retrieve, modify and delete item added by them and not the other users. They will also have some custom option they can pick: like receiving notifications through emails or another channels. Meanwhile, admin can see all items, and have a filter to see all items added by one user and all users's custom option.
Any help would be appreciated.
take a look here. this is where i started with custom user models. https://wsvincent.com/django-custom-user-model-tutorial/
Django has builtin user models with basic fields like username email and password and authentication. The above link will help you create custom user models and it will be a good place to start
I'm new to Django so I have some questions that might seem basic to you. I'm looking to create a platform that is open to both individuals and companies and I'm trying to design the user auth for an API that runs on DRF. I need to provide mobile platform access so I'm thinking of using OAuth via django-oauth-toolkit. Having difficulty understanding:
Should I separate the login flow into a separate app? How do I know when I should spin up a separate app?
Do I manage the profiles via the built in admin area? Is this secure for production environments?
Should I separate individual profiles and company profiles into separate apps or just models extending the Base User?
How do I allow the individual profiles to link their logins to social media accounts with django-allauth while storing extra information like birthday/name etc regardless of which mode of login?
Thanks!
This is my point of view.
No need to separate the app. You can manage all the profiles from
Django admin.
It is secure for production environments, django not allow to see
its credentials or password to anyone, its encrypted.
You can create UserProfile model and use django user as Foreignkey
in this. You can able to add extra field like in this way. OR you
can extends the User model of Django admin.
Its just a suggest, you do whatever you feel reliable or easy way.
I am developing a django application using Pinax Stripe(https://github.com/pinax/pinax-stripe). I have added the web hooks, test api keys. But when I login into the admin panel and go to 'plans' section to create a plan, in the 'create a plan' page. It doesnt show the text fields for admin to create a plan. Have a I gone wrong with the setup somewhere? I really dont understand this.
To create a plan you have to do the following.
Go to the Stripe account settings https://dashboard.stripe.com/account
Set up your webhook under the "webhook" tab
Go to the Dashboard https://dashboard.stripe.com/test/dashboard
On the left side under "subscriptions" go to "plans"
Create a plan.
Go back to your virtual envrionment and write the following management command in the consolepython manage.py sync_plans
Once this is done you should be able to see your plans. Let me know if that works.
I'm building a Django-based review website where public users create all of the content on the site. Users create reviews for given items and they also create the items themselves that will be reviewed (providing a description and brief summary of the item, along with a few tags).
My question is this: Should I be using Django's admin features for this website (as in, exposing admin controls to the public users)? Or should I just stick with normal forms? I'm not too familiar with the admin-aspect of Django, and so far I've just been using forms for the website, but I've seen a lot of people talking about Django's admin features, and I'm starting to wonder if I should be using them.
Thanks for any feedback!
Maybe. If the admin functionality covers most of what you want to offer, there's no reason why you shouldn't use it as a starting point.
django.contrib.admin is an application like any other, and provides basically a CRUD interface to your models. Access can be controlled via groups/permissions, just like you would for an application you write yourself. You can give full access to a model with a one-liner, but obviously will have to configure properly when opening up to others.
See also my question
Django AdminSite/ModelAdmin for end users?
and similar questions Exposing django admin to users. Harmful? and How to make Django admin site accessed by non-staff user?
Regarding arguments about the "intended use" of the admin, please note Django's security update at the end of last year: http://www.djangoproject.com/weblog/2010/dec/22/security/ regarding querystring parameters in object lists. Such an update (quote: "an attacker with access to the admin [...]") is a clear indication that the admin's implementation of the permission system is being constantly scrutinized.
No. The django admin is not intended for any end-user.
The django admin feature is intended to assist the website developer, and that is all. Even usage by site administrators is contra-indicated, although in practice most small sites get away with it since they're only talking a few people who can call on the developer personally if they get into trouble.
For your purposes, the review items and the workflow in creating the items is a critical part of your application feature set. The admin will give you ideas, but it would be a mistake to attempt to build your application upon it.
I wouldn't expose the admin interface to regular users. You can use the authentication and user-management side (for your purposes), but it's usually best practice to give users a separate way to manage their objects. You also don't run as much of a risk of granting the wrong privileges to users (or allowing them to grant their own).
Have a read though the docs if you want a better overview about what it can do.