I am working with django, and I would like to use django-admin to manage certain things of my site, including the mantainance of the database.
Can I use it once the project is deployed or should I consider other options? I have searched for options but I didnt find anything. Leaving the admin site like www.mysite.com/admin I dont think is an option because of security issues.
Thanks
The django admin is exactly what you should be using to administrate (hence the name) your site after deployment. What are the security issues behind www.mysite.com/admin? You need a user account with staff privileges to access the admin area.
Related
Is there a way to deploy Django Admin and your main application separately, though both of them sharing the same Models / Business logic services.
I come from Grails background where you can create a plugin which can hold your Entities and common business logic and that plugin can be utilized by other application deployed and scaled separately though using the same Database. You don't have to repackage your plugin again for every change rather its just sibling folder to your other projects.
Can I achieve something similar with Django?
Assuming a typical setup, in order to be useful Django Admin needs access to project's apps and their models.
So a setup that you've described would require at least:
simple URLconf with just Django Admin
models and their Admin bindings for all apps that need Admin
settings with database credentials
Even if your models and Admin bindings are not dependent on other parts of the codebase,
extracting the above components to a separate project and then keeping everything
in sync sounds pretty hard.
Summarizing: I would say it's hard but possible if it's something that you really need,
but Django Admin hasn't been designed with such use case in mind.
Django admin is actually separate from the main application by placing it on its own url. Even if they know the admin url, users cannot log in to the site's admin unless they have already been assigned Staff status via the admin. You can set the admin prefix to anything you want, so if you want to "hide" the admin login page, just make it something long and random (good for security too), and basically no one but those you tell will even know where the admin site can be found.
I know that Django websites contain a secret key which is not to be disclosed to anyone. However, I really want to showcase my website on GitHub, as I feel it is nice. Unfortunately, I am worried about the secret key's security, and if it would be safe to upload that website to GitHub where everyone can see.
The website type is a personal portfolio website that showcases my projects and more.
So, would it be okay to upload my entire Django Project to GitHub? The only sensitive information I can think of would be my superuser information, and maybe my database, where I store all my project Models for displaying on the website. Pretty much all I know I need to guard is my superuser information
The django secret key should not be publicly available (see https://docs.djangoproject.com/en/2.0/ref/settings/#std:setting-SECRET_KEY)
Many sites use an environment variable to set the key.
So your settings file could have something like:
SECRET_KEY = os.environ.get('DJANGO_SECRET_KEY', '')
Have a look at https://github.com/jpadilla/django-dotenv.
You can set your secret_key inside a .env file which you should add to your .gitignore. This means it will not be tracked or added to any git commit, hence, won't be shown in Github.
I have been reading a lot of django articles, including the official doc. Occasionally, I would see multiple instances of an app being mentioned without going into the details of it. This leads me to start thinking what are the uses/applications of having multiple instances of an app. A few examples would be appreciated.
In the section URL Dispatcher of the official doc, I read:
The Django Admin is deployed as instances of a AdminSite
Why multiple instances are needed here?
You could for example make another instance of AdminSite available under a different url than /admin - you could for example register different ModelAdmins with this second instance or have it customized in a different way. In the Django documentation you will also find some attributes of AdminSite that give you the possibility to customize it.
Also there can be use cases where you would need to subclass AdminSite to give it the properties you desire...
Say you design an app that creates a forum with categories, sub-categories, user profiles etc. Now company A that makes cars wants to use your software without going through the trouble of hosting it. So does company B that makes bikes. You could host both of them as multiple instances of your forum app.
Another example would be something like Google Apps that can be hosted on your domain. Each separate instance contains email, docs & a lot more. You can add whichever apps you want.
Django has its well designed admin site which is normally located at your-site/admin.
The interface is very powerful. However, you have to set permissions if you have multiple users with different rights and you have to modify a lot if the user asks you for very customised features.
So now my questions are:
should I build my own login site to provide website-specific features?
is there any already built package which I can re-use and add my own features into it?
When I need to use (and probably customize) a login application I always use django-registration.
It is a very complete app, I has email activation key and some other interesting features. And if you want to add/modify some new functionality you just have to create a new backend (you can inherit the common behaviour from the default backend.
https://bitbucket.org/ubernostrum/django-registration
https://github.com/nathanborror/django-registration
Hope it helps
You can create User Groups in django-admin to simplify assigning permissions instead of setting permissions to individual users.
Django-admin has a number of limitations, but there is a lot of extensions to manage them.
The app django-userna will take your pain away.
http://django-userena.org/
But personnaly i use Pinax. When i start a project all account (login/password reset/email management etc ...) is built in and i can focus on what makes my project different instead of reinventing all the user management stuff.
I want to restrict access to all but a few selected files per a user, but if I type: /media/userdocuments/FILENAME django happily spits back the file for even users who aren't logged in. How can I integrate the permission framework to work around this?
Thanks!
EDIT: I realize that the django development server is insecure, so I guess the question is: How would I do that in a production environment with apache, lighttp, etc.
Use RewriteMap along with a script that connects to Django and verifies permissions, rewriting to a "disallowed" URL on auth failure.