I am working on a database project for different users in Django, but I don't understand nearly enough about the idea of groups and permissions to know where to start for allowing users to collaborate on projects.
Essentially, I want each project (and its entries) to be owned by the person who created it (this part I have covered), but I also want users to be able to add usernames for other users onto each project (and its entries) so that other users can view the project, the entries, update them and create new entries for that project.
Also I want it to display only projects & entries that the user has either created or is a collaborator on.
I've never worked with permissions before and while I'm reading through "Using the Django authentication system" I'm not having much luck getting my head around it. Are there any good writeups on how to incorporate this or maybe something from another perspective or a tutorial?
I had originally made a text field column where a user could add usernames of fellow collaborators, then the views would check it and if one of the usernames matched the logged in user, it would allow them to view that project, but it sounds like this is not the secure way to go.
Thanks for any help.
Related
I want to be able to allow certain staff users the rights to add other users and staff but what seems weird to me is that 1) a staff member can just change their own privileges to superuser or just make a new user and grant superuser privileges to them. 2) delete a superuser or revoke their superuser status
Some staff users should be able to modify/create/delete users but they should not be able to delete super users nor assign permissions to themselves or other users that they do not have the permission themselves.
This has always been logic I have incorporated into my user systems that I've written in PHP and I was just wondering if there was a way to change these settings in Django as I really like Python/Django (I'm just beginning to learn it) and can see myself migrating away from PHP. But part of the beauty for me lied in the admin panel and if that is something that cannot be changed, that's kind of cringe-worthy.
It reminds me of a restaurant POS system that I used to use when I was a GM. As the GM, I had powers that shift managers did not have. However, the shift managers could add a fingerprint to my profile (theirs) and then just log in as me and do anything they wanted to. I always felt this was a severe security breach and even took disciplinary action on an employee for doing this. It also allowed the shift managers to create new employees with titles that were above theirs which created the same problem as they could just create a new GM or Area Manager, login, do whatever they wanted, and see all kinds of things that they shouldn't (like their colleagues' salaries), and then hide (not delete) the user. (this is how he got caught)
If anyone has a fix or any ideas and suggestions, I'd love to hear them and keep learning this exciting new language. Thanks in advance!
Django admin is a basic CRUD system, it is not recommended to use in that way. Django views (your custom views) give you more power to control the process.
First of all, Django Permissions might be a good start point. Create Groups for user types and assign desired permissions for each group. Do not give permission for non-superusers to change group or permissions.
Second thing is using Django Signals to check data before saving it. For example, a pre_save signal for User creation can be used to check if is_superuser, is_staff values of the user are set by non-superuser. You can add added_by value to the user model and verify your checks using this value.
Also, using custom forms for Django admin is also possible and might be the simplest solution for it. Just make a custom form for creating and editing users and verify changes in the form directly before allowing the view to save anything. It is also possible to inform user that they don't have access for changes they made and also notify the management about the attempt.
I am new to django. I want to edit default user auth_permissions. More precisely I want to add an integer field in addition to "label", "code" features to distinct permission types (like strong, moderate and etc.). So far I could not find anything like this. I tried to make custom permissions, but could not add them to the permission database. Anyone could help me?
Per Object permission
When i first got into django i also tried relying on the permissions framework within django, I also found the permissions were too broad and inefficient, which lead me to researching django-guardian, I tried to submit an edit to the Django project itself to make more object-base permissions with no success, they said as per object permissions were too personalised for the framework.
The thing is, after getting to work in the industry i realised how people do these permissions in the industry (which honestly was something that bugged me), they mainly create custom login middlewares to keep track of authentication types and add the checks on the view itself. So basically you will have to check in the view who the user is and if you want to give them permission to whatever.
When in MIT they kept asking me to make some weird permissions and I created a table called ExtraordinaryPermissions, this had a ForeignKey to the user and could be used to check within the views what objects the user had access to
It is troublesome, but as-per-object permissions are handed this way in the industry
good luck
I am building a website where you can keep your private portfolio, logs, etc using Django.
All courses, documentation, I came accross so far give all users the possibility to view all entries made by all users (e.g. blog, posts etc.). However I want to restrict any user from viewing & READING other users' data.
How can this be best achieved? Is there an extension available? I know that django doesn't have row-level permissions, but there are extensions for that available such as Django-rules.
In my case however I want restrict a user from viewing other users' data. In other words, a user can only see his/her porfolio and is also not in any way able to CHANGE, UPDATE, DELETE any entries which is not its own.
I found that django-guardian does the job.
I want your help to solve a problem in a site.
I know that when a user makes a subscription in the site through joomla log in form , it is stored in a table in sites database.
I want to the user to be stored in a custom table that I will make and it will be somewhere in the site.
The result I would like to be like this:
The site is for a school. Each student will made a subscription and his/her name will be stored to a table with lessons of the school. The teachers will log in the site and they will have to put the test results of each student in each lesson in this table.
it will be like:
lesson 1----lesson 2-----lesson 3
user's name 1-------- grade----grade----------grade
user's name 2-------- grade----grade---------- grade
You will need to look into custom component creation. As it is quite a simple component, the available component creators may do most of this for you. However it makes sense to understand the basics of how a component works first so that you know how to tweak and test it.
Simple components like this are ultimately just data entry into a single table, which is what most tutorials will cover. Components get more complex when interacting with other components or require more tables.
If students do not need to log-in to the site (and if they are unlikely to in future), then they do not need to be made users, but rather can just be a component item which is created by the teachers when they enter the data. If students need to log-in, then the id of the #__users table should be the match field in the new table.
When adding users to a site, it is important to make sure their permissions are set correctly so that they cannot access inappropriate data or make changes that they are not permitted to.
Also : If you are storing private information, it is particularly important that you keep Joomla patched for security - 2.5 is now rather out-of-date.
I'm doing my first steps with ColdBox and I just got stucked. I have two database tables, users and firms and each user belongs to one firm. After a user logged in to the application, he can list every firm, but can only edit the firm he belongs to.
So how can I manage that the user only has an edit link for his firm? And how should I secure the firm handler and edit action?
I'm working with ColdBox VirtualEntityService and Coldfusion ORM. Should I write a function in the UserService which validates the users permission?
Your edit permissions should be part of the session somehow and your view should contain some logic as to wether a firm is "editable" and display the edit link. Of course your controller will need to double check the user permissions when someone actually uses the edit link to make sure they do indeed have the permissions they need.
This seems like a sort of "standard logic" question and has not so much to do with Coldbox. I'm not a CB expert but I don't think there's something specifically native to CB that handles your case. This is simply about writing good controller and validation code and figuring out what to store in your users session.