I am building a website where you can keep your private portfolio, logs, etc using Django.
All courses, documentation, I came accross so far give all users the possibility to view all entries made by all users (e.g. blog, posts etc.). However I want to restrict any user from viewing & READING other users' data.
How can this be best achieved? Is there an extension available? I know that django doesn't have row-level permissions, but there are extensions for that available such as Django-rules.
In my case however I want restrict a user from viewing other users' data. In other words, a user can only see his/her porfolio and is also not in any way able to CHANGE, UPDATE, DELETE any entries which is not its own.
I found that django-guardian does the job.
Related
I am developing a personal blog using Django (to learn).
I want to be the only user that is allowed to post there.
However, I want to allow people to comment on my posts, when they do not register but (not sure of the correct terminology here) log in via their Google etc account to place a post.
How is this functionality called?
How can I achieve this in Django? Do I need to still save the user credentials etc into the database? Do I still need to have a Comment model (I think so)?
I am using allauth for registering users and I would like to give permissions to users automatically after they created a local account or using social login.
A good example would be only 1 user to be able to create posts and comments whilst the rest of the users to be able to only create comments.
Looking around I have seen that you can create Groups and through those you can give certain permissions, is this the right way to handle this? Or are there some better avenues worth exploring?
Many thanks.
I am new to django. I want to edit default user auth_permissions. More precisely I want to add an integer field in addition to "label", "code" features to distinct permission types (like strong, moderate and etc.). So far I could not find anything like this. I tried to make custom permissions, but could not add them to the permission database. Anyone could help me?
Per Object permission
When i first got into django i also tried relying on the permissions framework within django, I also found the permissions were too broad and inefficient, which lead me to researching django-guardian, I tried to submit an edit to the Django project itself to make more object-base permissions with no success, they said as per object permissions were too personalised for the framework.
The thing is, after getting to work in the industry i realised how people do these permissions in the industry (which honestly was something that bugged me), they mainly create custom login middlewares to keep track of authentication types and add the checks on the view itself. So basically you will have to check in the view who the user is and if you want to give them permission to whatever.
When in MIT they kept asking me to make some weird permissions and I created a table called ExtraordinaryPermissions, this had a ForeignKey to the user and could be used to check within the views what objects the user had access to
It is troublesome, but as-per-object permissions are handed this way in the industry
good luck
I'm building a Django-based review website where public users create all of the content on the site. Users create reviews for given items and they also create the items themselves that will be reviewed (providing a description and brief summary of the item, along with a few tags).
My question is this: Should I be using Django's admin features for this website (as in, exposing admin controls to the public users)? Or should I just stick with normal forms? I'm not too familiar with the admin-aspect of Django, and so far I've just been using forms for the website, but I've seen a lot of people talking about Django's admin features, and I'm starting to wonder if I should be using them.
Thanks for any feedback!
Maybe. If the admin functionality covers most of what you want to offer, there's no reason why you shouldn't use it as a starting point.
django.contrib.admin is an application like any other, and provides basically a CRUD interface to your models. Access can be controlled via groups/permissions, just like you would for an application you write yourself. You can give full access to a model with a one-liner, but obviously will have to configure properly when opening up to others.
See also my question
Django AdminSite/ModelAdmin for end users?
and similar questions Exposing django admin to users. Harmful? and How to make Django admin site accessed by non-staff user?
Regarding arguments about the "intended use" of the admin, please note Django's security update at the end of last year: http://www.djangoproject.com/weblog/2010/dec/22/security/ regarding querystring parameters in object lists. Such an update (quote: "an attacker with access to the admin [...]") is a clear indication that the admin's implementation of the permission system is being constantly scrutinized.
No. The django admin is not intended for any end-user.
The django admin feature is intended to assist the website developer, and that is all. Even usage by site administrators is contra-indicated, although in practice most small sites get away with it since they're only talking a few people who can call on the developer personally if they get into trouble.
For your purposes, the review items and the workflow in creating the items is a critical part of your application feature set. The admin will give you ideas, but it would be a mistake to attempt to build your application upon it.
I wouldn't expose the admin interface to regular users. You can use the authentication and user-management side (for your purposes), but it's usually best practice to give users a separate way to manage their objects. You also don't run as much of a risk of granting the wrong privileges to users (or allowing them to grant their own).
Have a read though the docs if you want a better overview about what it can do.
I'm working on creating a simple website for an exhibition. It's intended to use django with django CMS as much as possible - so Django admin site will be used.
Now I want to limit user's access to objects they can view/modify/delete.
There's going to be an Admin user, who can do all that admin can in django. But there are going to be Exhibitor types of users, who should be able to only see/modify their own objects (like - Page and Offer, they both would have an ID of the Exhibitor who's their owner).
Can this be done on the model level in django? Best would be to have some method that would take a logged-in-user instance and return the list of objects that this user can see.
There used to be a Row level permissions branch but it appears to have died off before gaining any traction or hope of being included into the trunk, so unfortunately that is out. That link does, however, give you a bit of a hint as to how they claim the admin app currently supports it via the ModelAdmin class.