I have certain fields that I would only like displayed to certain admins when they are in the admin site. I am looking into using list_display to do this but first need to figure out a way of determining which user is currently viewing the admin site.
Unless you pass the request object everywhere, the solution is generally to use thread local storage and some middleware that updates the value on each request.
http://djangosnippets.org/snippets/2179/
Related
I'm still a complete newbie on Django, so now I'm a little bit lost on what I could do to structure my server to suit my needs.
The situation is like this: my Django admin could be accessed by the admin and multiple users. Each user can add multiple item to the server, and the server will only allow them to retrieve, modify and delete item added by them and not the other users. They will also have some custom option they can pick: like receiving notifications through emails or another channels. Meanwhile, admin can see all items, and have a filter to see all items added by one user and all users's custom option.
Any help would be appreciated.
take a look here. this is where i started with custom user models. https://wsvincent.com/django-custom-user-model-tutorial/
Django has builtin user models with basic fields like username email and password and authentication. The above link will help you create custom user models and it will be a good place to start
I'm using django-allauth for my Django web app. How can I ban certain users from logging in or restrict certain actions after they log in for a period of time?
Should I just deactivate their accounts outright? What are some good solutions?
Normally for django authentication you would set the user object's is_active attribute to False and the user wouldn't be able to log in (into django admin for example). But you're using allauth, so by simply setting the is_staff attribute would be enough to block them from entering django admin for example.
Now, if you're implementing another type of frontend dashboard or need to set rules to how a user logs in, I'd say for you to use AccessMixins if you're using CBVs or decorators if you're using FBV. Specially the UserPassesTest mixin and user_passes_test decorator. With them you can check if a user comply to a certain rule and then allow them to log in or not. Check the docs here.
I set the session["UserID"] for user login status in view login page after pass the verify of username and password.
Then I need to check if the user is logged in within every other views, such as home page, shopping bag page and so on.
My question is, can I check it just for one time and where should I write it? Are there some methods triggered before the views called?
My question is, can I check it just for one time and where should I write it?
You do check it one time, providing you are using django's built in authentication method then the whole handling of users is done for you, you don't need session user id's since django handles the user through requests with its auth middleware.
Once logged in there will be a user as part of the request object which will either be a AnonymousUser if not logged in, or an instance of your user class if you are logged in.
Are there some methods triggered before the views called?
Yes, middlewares, which you could write your own custom middleware but I don't really think you need it.
I check the login status within the MASTER PAGE in ASP.NET and it can control all the other page which import it.
I haven't really used asp.net but again, you don't need to do this, django handles its users for you (providing your using built in auth tools).
See Limiting access to logged-in users and the functions and properties available on the user class
In my Django app a user can register to the site and receive staff_user privileges from the admin.
After that the staff user can create and manage some other users (normal users) using default django admin site.
Now, I would like to let the staff user see and manage only the users he created from the admin site, I don't want him to see other users created by another staff user.
how can I do that? I imagine I need to modify admin.py right?
Don't modify the admin site.
In general, you have the following tools available:
Create groups
Add users to groups
Create custom permissions on your models, to indicate certain actions
https://docs.djangoproject.com/en/1.4/topics/auth/#custom-permissions
However, what you are asking: Now, I would like to let the staff user see and manage only the users he created from the admin site is not possible in django-admin.
The Django-admin site is only intended as a glorified development tool for fully trusted users, not as a customizable app for end users.
If your project requires an admin site with any of the following ...
Customized administraion functionality.
Exposure to any user that is not completely trusted.
... then I'm afraid you have to create your own custom app.
You can replace the stock UserAdmin with your own which overrides queryset() and does the filtering. The bigger issue is what to filter by. The default User model does not store a "created_by" in the model instance. So you would need to add this information whenever a User is added.
How best to do this depends on your Django version.
Django 1.5 introduced a "Configurable User model" which makes this very easy.
https://docs.djangoproject.com/en/dev/releases/1.5/#configurable-user-model
In earlier versions you would either have to monkeypatch the User model, or store that information in a separate "user profile" attached 1:1 to the User.
https://docs.djangoproject.com/en/dev/topics/auth/customizing/#extending-the-existing-user-model
Regarding the trusting of users (which wasn't a topic but I feel the need to comment on thnee's answer) in the Django admin, check out the links in my answer here: Should I use Django's Admin feature?
I'm working on creating a simple website for an exhibition. It's intended to use django with django CMS as much as possible - so Django admin site will be used.
Now I want to limit user's access to objects they can view/modify/delete.
There's going to be an Admin user, who can do all that admin can in django. But there are going to be Exhibitor types of users, who should be able to only see/modify their own objects (like - Page and Offer, they both would have an ID of the Exhibitor who's their owner).
Can this be done on the model level in django? Best would be to have some method that would take a logged-in-user instance and return the list of objects that this user can see.
There used to be a Row level permissions branch but it appears to have died off before gaining any traction or hope of being included into the trunk, so unfortunately that is out. That link does, however, give you a bit of a hint as to how they claim the admin app currently supports it via the ModelAdmin class.