Permission to control user accounts belonging to specific group only - django

Is it possible in django to create permission to control (view/add/delete/change) user accounts only from specific group or e. g. having flag is_staff set to false? How can I do it?
For example, users from 'operators' group can manage users from 'clients' group and cannot control (even view) staff user accounts in admin interface.

Yes, it's possible to do that. You can specify groups of users and assign particular rights to them. It's quite well described in the docs - please see here: https://docs.djangoproject.com/en/1.8/topics/auth/default/#permissions-and-authorization
Hope that helps!

Related

How to Implement multiple kinds of users in Django?

I am new to Django so please bear with me if my questions seem too basic.
So, I want to create a web app for a kind of a store in which I have three different kinds of users.
Admin(Not Superuser) who can:
create, view, update, delete account for a Seller(agent)
issue them inventory
Seller who can:
sell an inventory item to a Customer(customers cannot themselves purchase it, only the seller can do it by filling in a form)
a Customer account should automatically be created upon submission of the form by Seller or if the Customer already has an account, the purchase should be added to their account
Customer
can login and view their account
What would be the best way to go about it? Using auth Groups, Profile models or anything else?
Any help would be wonderful. If something is not very clear in the question, I can provide more details. Thanks.
Django already has a solution for this: a Group [Django-doc]. A user can belong to zero, one or more groups. A group can have zero, one or more Permissions [Django-doc].
These permissions can be defined by a Django model, for example for all models there are permissions, to view, add, change, and delete objects of a certain model, but you can define custom permissions as well, for example to visit a certain page. A user then has such permission if there is at least one group they are a member of that has such permission.
You can work for example with the #permission_required decorator [Django-doc], or the PermissionRequiredMixin [Django-doc] to enforce that only users that have the required permission(s) can see the given page.
You thus can make groups for a seller, customer, etc. Often people can have multiple roles, for exame being both a seller and a customer which thus is elegantly solved through the permission framework.

Django user groups only for permissions?

I'm a bit unsure what to use Django user groups for.
I have an application where every user belongs to a different organisation. The organisations don't have anything to do with read/write permissions. It's just a way to separate groups of users. Every organisation needs some additional fields, like a name, URL, and email address. New organisations will be added to the system over time.
Within every organisation, users can have different permissions for moderation and administration, for which I (also) want to use user groups.
My question: Should I use Django's user groups to define the organisations, or should I just make an 'Organisation' model with a relation to the user?
Nope. User groups are made for different reasons. You CAN use them to define organisations but I think you should think bit further ahead:
will the organisation require more fields than just name?
perhaps you will need permissions in the future to define users roles within organisations?
I'm sure you can come up with more things to think of. But if you answered yes to one of those questions then just create your Organisation model.
1) You need to add group from django admin side under group table.
2) And while creating new user, assign specific group to user using user_obj.groups.add(group_id). Or Let user select group at frontend.
and then user_obj.save()
in Group table, you can create organization
OR
You can create individual organization table and assign assign user to specific organization.

ColdFusion 9 LDAP

In our intranet application, if a user is not authenticated, I use the CFNTAuthenticate tag.
But, normally the user is already authenticated and I'm able to retrieve his username with mid(cgi.REMOTE_USER, 8, 13). How can I retrieve his group memberships (or at least if he is member of a specific group) without having him to type his password (as he is already authenticated, single sign-on)?
I hope I was able to provide all required information for a simple answer from your side (in the hope there is a simple answer).
You can use any Active Directory account to retrieve group memberships for other users. I have a ColdFusion-specific domain account for looking up group information. That account doesn't need any special permissions in Active Directory.
Checking a direct group membership is simple. Use this as the LDAP query (<cfldap>):
(&(samAccountName=#userAccount#)(memberOf=#distinguishedNameOfGroup#))
If turns up empty the user is not member of that group.
Important: The values of userAccount and distinguishedNameOfGroup must be escaped before you can use them in a filter. See the Special Characters chart on the MSDN page that explains the search filter syntax.
Checking a nested group membership (i.e., user is in a subgroup of the group you want to check) is comparatively complicated.

Jira projects showing up to users who shouldn't have permission to see them

In Jira (4.0), under Global Permissions, I have the Jira Users group containing two groups, jira-users and jira-login. When I started at this company, there was only the jira-users group, but I added jira-login so that I could remove users from jira-users and still have them be able to login. Everyone with jira-users permissions has specific permissions across every project in Jira and I didn't want to have to change that group's access on every project/permissions scheme affected.
Ultimately, what I'm trying to do is have a new group, Suppliers, have limited access to our projects. So a supplier is a member of jira-login and Suppliers only. Regular users are members of both jira-login and jira-users, although since they are a part of jira-users, they can still login without being part of the jira-login group.
The problem I'm having is that suppliers can see the projects that I want them to, but also a few projects that I didn't give them permissions to see. I want to remove the visibility of these unwanted projects for suppliers. NOTE: to let the suppliers see the select projects, I added the Suppliers group the the Users project role on each project that I want them to see.
Under project roles for each of this unwantedly visible projects, the only groups that have access to the Users (or any other project role besides admin) is jira-users. I have no idea how people outside of the jira-users group can see these projects.
I cannot seem to find the common denominator scheme/setting that these suppliers have. Certainly the newly created jira-login group doesn't have any sort of access that I didn't enter in manually. Right?
Any suggestions? Thanks.
Instead of having a jira-login and jira user group it might be better to create new groups that don't involve the jura-user group(this might cause odd behavior). From what I have read it seems that all users need to be a part of the Jira-users group to even log in.
Then having permission schemes that only include the groups that you want should be able to lock out unauthorized groups.
The ability to view issues is controlled by the Browse Projects permission. Check the permission scheme for a group that Suppliers can unexpectedly view and see who has that permission. It may be a group or a role. Remove the Suppliers from that and they won't be able to view that project's issues.
More info at http://confluence.atlassian.com/display/JIRA/Managing+Project+Permissions
The issue was caused by having either "Current Assignee" or "Reporter" in the "Browse Project" permission. Strange behavior. Watch out for this one.

Admin view access to other normal users in django

How can I give access for the admin views to normal users in django?
Go to the admin site and edit the user. Check the check box (under permissions) where it says:
"Staff status
Designates whether the user can log into this admin site."
You then need to grant them appropriate permissions for them to actually see things in the admin site. That is done just below this checkbox. If you want them to be able to do everything, check the "superuser" checkbox.
Is this what you mean?
Update
The OP actually wants to apply these permissions to a group of users. To do this, go to the admin site > Auth > Groups. Create a new group. Give it the permissions you want the group of users to have. You then need to go to each user and add them to this group. They will also need to be given "staff status" in order to log in to the admin site.
Is that what you are after?