Use case:"
I have a the standard user model that have a Userprofile model that contains among others the field region that is a ForeignKey to the Region model.
Users can be in permission groups that are standard for Django.
In django-admin user model page the user kalle in the site-admin group can see all users. The user pelle is in the regionA1-admin group can see all users who have their userprofile region set to regionA1."
What is the best practice in django to handle this use case in a secure way?
And it could be other models than User. Regions can be added and deleted. Region is used in this case but could be one or more fields that form the criteria. This shall only apply to the django-admin interface and not when interacting with the database on the regular site.
Related
Example(not true example):
I want the superusers to have to save on register their username and email.
and the normal users to save username, email, and a number(unique=True).
I wanted to use the user models django has, but I don't see how when the number has to be unique? or rather I originally wanted it to be the primary key, but only for normal users. Do I have to manually make two different user classes along with the permissions, authentication etc.? or is there separate user models for admin/user in django?
I tried(as a complete amateur, new to oop and django)... after gave up on using it as primary key, bc AbstractUser is fly.
Tried with onetoonefield, but couldn't make a combined form with UserCreationForm, bc "too many fields error". Also weird to have an important part of the user table be in a different table (or is it?).
something like (not 100% accurate):
#in models.py
class AdminUser(AbstractUser):
username
email
class NormalUser():
ontoonefield(AdminUser)
number(unique=True)
#in forms.py
class NormalUserForm(UserCreationForm):
class meta:
fields
class onetoonefieldForm(NormalUserForm):
class meta:
add_field += (number)
tried playing with required_fields, but again... number is unique
tried making two abstractUsers... permissions errors
thought about just making it non-unique and just checking on db insert that it's unique, but that seemed like a risk to the database, when it's vital it's unique.
Thank you for listening:)
Have a great day
Do I have to manually make two different user classes along with the permissions, authentication etc.? or is there separate user models for admin/user in django?
Django uses one built in User model and distinguishes three types of users using the attributes is_staff and is_superuser.
Normal user: is_staff=False, is_superuser=False
Staff user (can access the admin interface): is_staff=True
Super user (can do everything): is_superuser=True
If the default user model does not work for you, you can extend it or replace it.
Having the user decide their primary key, is not the intended default. The primary key is usually decided by the database, which also handles the uniqueness. If you would like to assign a unique number to each user, such as a customer number, I suppose it is easiest to extend the user model with a user profile.
I have a User class, and each user has a PersonalInformation model and a Profile model.
In my admin panel I have:
AUTHENTICATION AND AUTHORIZATION
Users
Groups
USERS
Profiles
Personal Informations
Users have a ONE-ONE relationship with 'PersonalInformation' and 'Profile', but the two models do not have a relationship.
So I can view the Users, the PersonalInformation and Profile models separately, but I want to join them so I can view all one users information on one page.
Thank you.
I want to add more fields to django built in admin user model. How can I achieve it?
Actually , There are three users on django server, student , teacher and parent. And by adding a 'role' field to user model, I can identify which type of user is log-ged in . So how can I extend the model field.
I'm expecting to identify different role of users in login.
I have an model named Customers(username,password ..etc) and also an model named User(username,password...etc).
I want to create two different APIs with different authentication.
One should authenticate with the User username,password
and the second should authenticate using the Customers username,password.
Any idea on how can I do this?
Thank you!
I suggest the following options:
1.
I am assuming User model is the "real" user of your app. If this is true use the django's default User model class. It will work out of the box.
For the Customer model, make it inherit from AbstractBaseUser, this will give you password functionality out of the box and you can add other fields as per your need.
Now you can create 2 different urls for login. 1 url for user which checks in the User model and the other for the customer model. This avoids any confusion for everyone.
If you prefer a single url, you have to mention the model class along with username and password to know in which table to verify them.
2.
Create two profile models: UserProfile and CustomerProfile
Each will have a one to one relationship with the django's default User model.
Basically a User can have the profile of a "real" user or of a customer.
In this case when you are creating any User you have check if you want to attach a UserProfile or a CustomerProfile.
In this case it makes sense to just use a single login url. From the user's login information you can first fetch the user from the User table and then check if it is a customer or not by running a query in the CustomerProfile table.
I recommend you to use the django.contrib.auth.user class for your classical authentication. You can either inherit from that class or add a OneToOne relation to your own model as follows
from django.contrib.auth.models import User
class YourUser(models.Model):
user = models.OneToOneField(User, on_delete=models.CASCADE)
For the rest of your question you should add some more details and even some pieces of your code.
Say that you have an application where different kind of users can sign: Firms, Lawyers, and Clients. A Firm has many lawyers; a lawyer has many clients. The views for a firm user are, of course, different from the views of a lawyer user; the two are different from the client user.
How would you model the three different users? I can think the following approach:
Three different models with a ForeignKey to User, each with their own fields, e.g.:
class Firm(models.Model):
user = models.ForeignKey(User)
class Lawyer(models.Model):
user = models.ForeignKey(User)
specialty = models.CharField(max_length=100)
class Client(models.Model)
user = modelsForeignKey(User)
Now you can create, for instance, consultations as a separate model using two ForeignKeys: to Lawyer and to Client; you can also add resources to a consultation (like documents, or stuff like that) by creating a model Resource with a ForeignKey to Consultation.
This approach makes it difficult to distinguish among users: how do you know whether a user is a Firm, for instance - you need to query the database several times or assign a Profile to the generic User object.
You could also add only a Profile to the User and include a Role, and then you channel the views and authentication based on user.get_profile().role.
How would you deal with this problem?
I would do what you suggest here:
You could also add only a Profile to the User and include a Role, and then you channel the views and authentication based on user.get_profile().role.
Create a profile with a choice field for the role. Create some decorators like #lawyer_only that make sure that your views are only accessibly by Lawyer role users.
You could also consider subclassing the User model (model inheritance):
http://docs.djangoproject.com/en/dev/topics/db/models/#model-inheritance
You will have to go with the option of multi-table inheritance http://docs.djangoproject.com/en/dev/topics/db/models/#multi-table-inheritance since the User class is not an abstract model.