I am creating user profiles using Django 1.8.
The way I have currently got it is the 'my_profile' view will use request.user() at the top of the view and then generate the information required from there.
My question is weather this is a bad practise for creating profiles.
In the past I have passed the user ID into the URL to create a profile but as it stands I think the request.user() method seems more secure and easier.
Are there any negative implications in creating it like this such as speed issues etc.?
Firstly, you will never be able to view another users profile if you do not use their ID in the URL to generate the view.
However, there is no reason why there would be any negative implications such as speed etc. by designing your user profile in this way.
I would personally recommend against it as it will limit the possibilities of what you can achieve with the user profiles.
And in terms of security, you could just add a check around the user profile view to check the current user has permission to be there.
Related
I want to be able to allow certain staff users the rights to add other users and staff but what seems weird to me is that 1) a staff member can just change their own privileges to superuser or just make a new user and grant superuser privileges to them. 2) delete a superuser or revoke their superuser status
Some staff users should be able to modify/create/delete users but they should not be able to delete super users nor assign permissions to themselves or other users that they do not have the permission themselves.
This has always been logic I have incorporated into my user systems that I've written in PHP and I was just wondering if there was a way to change these settings in Django as I really like Python/Django (I'm just beginning to learn it) and can see myself migrating away from PHP. But part of the beauty for me lied in the admin panel and if that is something that cannot be changed, that's kind of cringe-worthy.
It reminds me of a restaurant POS system that I used to use when I was a GM. As the GM, I had powers that shift managers did not have. However, the shift managers could add a fingerprint to my profile (theirs) and then just log in as me and do anything they wanted to. I always felt this was a severe security breach and even took disciplinary action on an employee for doing this. It also allowed the shift managers to create new employees with titles that were above theirs which created the same problem as they could just create a new GM or Area Manager, login, do whatever they wanted, and see all kinds of things that they shouldn't (like their colleagues' salaries), and then hide (not delete) the user. (this is how he got caught)
If anyone has a fix or any ideas and suggestions, I'd love to hear them and keep learning this exciting new language. Thanks in advance!
Django admin is a basic CRUD system, it is not recommended to use in that way. Django views (your custom views) give you more power to control the process.
First of all, Django Permissions might be a good start point. Create Groups for user types and assign desired permissions for each group. Do not give permission for non-superusers to change group or permissions.
Second thing is using Django Signals to check data before saving it. For example, a pre_save signal for User creation can be used to check if is_superuser, is_staff values of the user are set by non-superuser. You can add added_by value to the user model and verify your checks using this value.
Also, using custom forms for Django admin is also possible and might be the simplest solution for it. Just make a custom form for creating and editing users and verify changes in the form directly before allowing the view to save anything. It is also possible to inform user that they don't have access for changes they made and also notify the management about the attempt.
I am new to django. I want to edit default user auth_permissions. More precisely I want to add an integer field in addition to "label", "code" features to distinct permission types (like strong, moderate and etc.). So far I could not find anything like this. I tried to make custom permissions, but could not add them to the permission database. Anyone could help me?
Per Object permission
When i first got into django i also tried relying on the permissions framework within django, I also found the permissions were too broad and inefficient, which lead me to researching django-guardian, I tried to submit an edit to the Django project itself to make more object-base permissions with no success, they said as per object permissions were too personalised for the framework.
The thing is, after getting to work in the industry i realised how people do these permissions in the industry (which honestly was something that bugged me), they mainly create custom login middlewares to keep track of authentication types and add the checks on the view itself. So basically you will have to check in the view who the user is and if you want to give them permission to whatever.
When in MIT they kept asking me to make some weird permissions and I created a table called ExtraordinaryPermissions, this had a ForeignKey to the user and could be used to check within the views what objects the user had access to
It is troublesome, but as-per-object permissions are handed this way in the industry
good luck
I had no idea how to structure an accurate title for this question, but I did my best so please bear with me.
I am working on a app for my hockey team that consists of a django app and an mobile app that communicates with the django app using JSON (django-rest-framework). However, one problem I am struggeling with figuring out how to solve is as follows:
You create a user (using Token Authentication), and then you create a player and/or a manager.
However, what I am struggling with is what to do when an existing user logs in. How do I check whether or not there is a player or manager associated with that user? When I log in, all I get in return from the rest framework is that user's authentication token, so from a programming perspective, I have no clue what user it actually is since I dont have the user's Id. Even if I did, how can I look up players by anything other than their Id? Currently the only idea I have is to grab all players and loop through them to find one with the same email address as the user currently signed in has.
Hope this made some degree of sense!
Thanks
This isn't really a question about JSON.
Surely the token is associated with a user ID? I don't use django-rest-framework, but the documentation for TokenAuthentication is pretty clear that once the user logs in with their token, you'll get a normal auth.User instance in request.user just like you would with a standard web-based login.
Your second question is probably made irrelevant by that, but even so, you can always query by an email address, without needing to loop through:
Manager.objects.get(email=my_email_address)
Again this is standard Django querying - if you're not familiar with that syntax, you should do the Django tutorial.
Of course, since you have a User already, you can do a more efficient foreign key lookup:
Manager.objects.get(user=request.user)
or even
request.user.manager
(assuming you have a one-to-one relationship from User to Manager - it would have been helpful to see your models).
So I want to keep track of about 100 employees but only five of them should be able to log in into the backend (the rest starts with no loginpossibilities at all) what's the best way to solve that problem ?
I thought of an EmployeeModel that has a 1to1-relation to an abstractBaseUser but is that the way to go or is there something easier ?
~Max
Why not make use of Django 1.5's new customisable User model and model each employee as a user with an extended profile:
In Django 1.5, you can now use your own model as the store for user-related data. If your project needs a username with more than 30 characters, or if you want to store user’s names in a format other than first name/last name, or you want to put custom profile information onto your User object, you can now do so.
By making each employee a "user", you have the balance of being able to control their ability to login (using is_staff) as well as being able to add as much employee profile information that you need.
Why not just have FK from employee to user if an employee has an attached account?
Don't go for over customisation as this can be easily achieved easily using the built-in tools. Make the login_page require a permission suppose say "can login". And just make these 5 users have those permission. So rest will automatically get a permission denied response when trying to login.
I've recently started using Pushover.net, I've done some searching and can't find any examples of it being integrated with a django project.
Since i can't find any examples I've decided it would be fun to try myself. What I'm interested in is how you would suggest I do it. I want the actual pushover part as decoupled a possible, hence doing it asas an app.
What I'm not entirely sure on how to approach is the user authorization. The idea being a user enters their pushover user key and its saved in a user profile model using django's AUTH_PROFILE_MODULE with some functions such as has_pushover but obviously I'd like some security so the user keys aren't stored in plaintext. What do people suggest for this?
Is there some inbuilt django security I can use?
In the past when I've needed to encrypt Django fields I used the encrypted fields available in django-fields. You could use one of these on your UserProfile model and define a has_pushover() method on the model which basically returns whether the pushover token field is None or not.
I'm guessing because you're talking about storing each user's Pushover token you are wanting to build an app for pushing arbitrary notifications to your website's users? This is in contrast to having the website just push notifications to yourself for site events.