I have a single web2py app which I have set up to be the default by using
routers = dict(
BASE=dict(
default_application='myapp',
),
)
As recommended in the docs. I want to remove the admin app, but retain the ability to administer by app using my app/appadmin. Is this possible? I tried simply removing the app, but now when I go to https://example.com/appadmin, I get redirected to https://example.com/admin?send=%2Fappadmin and this replies (quite reasonably) with "invalid controller (default/index)".
The appadmin.py controller delegates authentication to the admin app, so you cannot access appadmin without the admin app. The only exception is that you can access the /appadmin/manage functionality described here, as that is authenticated via the application itself.
Alternatively, you can hack your application's appadmin.py controller to change how authentication is managed -- see here.
Related
I am building a django server for an API that relies on JWT (or Token based - https://www.django-rest-framework.org/api-guide/authentication/#tokenauthentication) authentication for our users.
I don't need session based authentication for any purpose. It creates an unnecessary query on each request, and also authenticates users when I don't want to authenticate them (I want browsers to only authenticate when it includes an Authentication header in the request, and stay AnnonymousUser otherwise. This is because it creates issues in some of my middlewares where I verify if I am dealing with a guest or a authenticated user).
However, the issue comes when I try to use the admin application as well (I can't imagine building this app without the use of the django admin page). When I remove the session-related middlewares:(django.contrib.sessions.middleware.SessionMiddleware, django.contrib.auth.middleware.AuthenticationMiddleware and django.contrib.messages.middleware.MessageMiddleware) from my settings file, I get the following error when I do a runserver:
ERRORS:
?: (admin.E408) 'django.contrib.auth.middleware.AuthenticationMiddleware' must be in MIDDLEWARE in order to use the admin application.
?: (admin.E409) 'django.contrib.messages.middleware.MessageMiddleware' must be in MIDDLEWARE in order to use the admin application.
?: (admin.E410) 'django.contrib.sessions.middleware.SessionMiddleware' must be in MIDDLEWARE in order to use the admin application.
Can someone think of a workaround where I can disable sessions in Django, while also being able to use the admin panel? One solution I thought of is to hack up adding the authorization header to each admin page request, but 1) I have no idea how to proceed with this idea and 2) (more importantly), I cannot do a runserver while disabling the session middlewares.
Ive implemented a custom auth system in one(only) Django app on my project
Now I want to open my site up to Api access, is there a way to only let users from the Django app access this api. As I don't want to repeat myself (DRY) so was asking if it was possible to work backwards rather than to overwrite the Django rest Authentication with very similar code
DRF's SessionAuthentication is included in the default DRF settings and is entirely transparent to users who are already familiar with logging in to your site. You can add it to the list of authenticators for DRF:
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': (
# ...
'rest_framework.authentication.SessionAuthentication',
)
}
The session a user establishes when logging in to your site now also authenticates them for DRF's browsable API and any API calls.
More info: https://www.django-rest-framework.org/api-guide/authentication/#sessionauthentication
If you're instead asking how to do something like issue API keys, DRF's TokenAuthentication can do that for you. You'll just need to add a view to your site that allows users to retrieve their generated tokens.
More info: https://www.django-rest-framework.org/api-guide/authentication/#tokenauthentication
I'm building an App using react and django as backend.
I have JWT authentication set up and working. But I am wondering if it is safe to include menu items and logic of views that will be displayed only to specific users and will include sensitive information. Of course these views will only be visible to the relevant users.
My question is if it possible for someone to extract the info from the react build? And if so, what is the best practice to avoid such situation?
Your javascript code should not contain sensitive information. Such information should be dynamically fetched and checking permissions on a per request basis when the screen is actually rendered that needs to display it.
If you even want to hide certain screens so that users can't see certain features on your app that are not available to them you either need to bundle those screens into another app and serve that on another url or you can dynamically fetch javascript containing these views.
Usually this is not worth the effort as you should concentrate on correctly checking permissions for your api.
EDIT:
Assuming i'd like to dynamically fetch the JS with the sensitive views and add those to my app, how do i do that?
I assume you are using webpack 2 for bundling your react app? Then you need to use dynamic imports for the parts that need to be dynamically loaded. Then in django you need a custom view that serves your static files and checks for permission to access this part of your react app when it is requested.
This tutorial explains how to lazy load components using webpack 2.
I am guessing that you encode user roles in the JWT token itself and exact it using something like jwt-decode then match the to roles to render different components.
For example you might be doing something like check for a 'admin' role and render a link in nav bar for /admin route.Which i think i safe to do.
But what if a user looks into your code and sees that there's a /admin route and tries to access it?
So u also got to have logic inside the route to check for role 'admin' and serve something like a '404' if the role doesn't match.
You can dynamically fetch any route once the user role matches.
Im really confused about what is all i need to consider for creating a django aplication with almost similar functionality to it's own admin.
The index page should deploy the list of models the user has access to modify or create...almost the same as when you put admin.site.register(MyModel) but with permission restriction. Im not sure how should i ckeck permissions, and show 1 ,2 or many "ModelAdmis" on my main page.
btw admin users are redirected to the admin index page, non-admins go to my page
Before you consider creating a django admin from scratch, you should read the answers to this question Django Admin app or roll my own?
I couldn't find any resource on how to create a django admin from scratch, but here's what you should do if this is your first time overriding a framework's functionality (in my humble opinion):
Understand and make sure you are comfortable with the django admin app
start from the docs https://docs.djangoproject.com/en/1.7/#the-admin
Head over to the django admin app source code so you can start reading the internals of the functionality you want to implement/override in your new admin app.
source code can be found here https://github.com/django/django/tree/master/django/contrib/admin
(this may involve reading other apps source code too)
After those two steps you should have an idea on how the admin app is implemented and it's dependencies, then you can start creating your custom admin app.
an example on how this may go can be found in this qestion:
How to override Django admin's views?
If you are building something new, try to separate the UI from the backend. You can build your UI using react, angular or whatever and interact with django using the API. To build the API you can use the Django Rest Framework.
Don't use the Django Admin as a public interface. Use that only for the admins!
If you start to use the Django Admin as interface for your public site, you'll fight with the package to tailor and secure the views to avoid destructive actions. What happen if you forget a readonly field? What if the user deleted something ON_CASCADE?
Building the UI you are totally free and you can customise easily everything without fighting the django admin package (it's awesome package but is not provided for public use)
I'm creating a site that will allow users to authenticate via Facebook and create content.
Should I use the Django admin interface for content creation or would it be smarter to create my own interface. If I should roll my own are there any good tutorials about this?
You can use admin login page and with custom URL redirection. Here is the working example for facebook authentication.
https://github.com/sivaa/django-social-auth-facebook
As a general rule, the django admin is best for validating your models during development and testing; and should not be used as a front end user interface.
Since each site/application has their own unique requirements, it is difficult to recommend a tutorial. Once you are familiar with django, you will find the following libraries helpful:
django-bootstrap-toolkit - this integrates the the excellent bootstrap css/javascript framework in django.
django-social-auth - allows your users to login using their social network credentials.
pinax project - a collection of common utilities for developing just about any kind of front end website.
For customizing the existing admin application:
grappelli - a custom skin for the admin
django-frontendadmin - edit models in the front end using template tags
django-admin-tools - customized widgets and UI elements for the admin application