Django Multi-User logins - best approach? - django

I'm currently developing a Django site in which users can have multiple 'accounts', so that they can seamlessly switch between different public profiles when interacting through the site. What I'm designing is likely to attract multiple registrations per person (and won't be discouraged), I just would like to offer this in such a way as that users can keep the profiles tied together, switch easily and only have to log in once.
The two approaches I've thought up so far include:
One (User model + SiteProfile model) pair and many PublicProfile models per person. AUTH_PROFILE_MODULE is set to point to the SiteProfile model. Issue with this is that I can't easily use per-object permissions: these will be set on the User object and not the public profile, thus permissions to see a page for "PublicProfileA" will also be applied to when the user is masquerading as "PublicProfileB".
One Account model and many (User model + UserProfile model) pairs per person. AUTH_PROFILE_MODULE is set to point to the UserProfile model. This would have the added benefit of the permissions working as intended, and that I can simply have a Custom Backend that will switch users by authenticating a user by if they are currently logged in as another user that has the same Account object as the Foreign Key. Authentication would happen by reading fields on the Account object though, which would mean the password field on every User object would be wasted.
As above, but subclassing Account from User. I've been advised strongly against this though (for reasons unclear).
Is there any pitfalls or better approaches to this? Ultimately, should I use the built-in User model as the one-per-person model that identifies a group of public facing profiles (of which these profiles have a FK back to the User object), or use it as the profile itself, linking back to a single Account object for each person?

Yes, I think the best approach would be to have one and only one User per person and several PublicProfile objects that they can "switch" between. This gives the benefit of only one username/password for them and seems to make the most sense with how Django's auth typically works.

Related

Maintain Two Types Of User

So I have a requirement where I have to maintain two types of users.
A company and all of its users, to manage day-to-day work. And also create public data like showing a few items and related images and set availability for meetings and more.
Public user who can see the items, images. and can book the meetings.
Now for the first case, every user is created by official email and password as registeruser endpoint from rest-framework. there is user profile and other company data.
For the second type of user (public), I have to give access for social login as well as login by email/mobile (maybe).
I am confused as how to configure this in the best possible way. the company datas' are important.
Should I create both user types in the same database (differentiating by user types)? or should I use a seprerate database then how to fetch data from two databases (never done this)? Also to keep my datas safe from unauthorized access.
Or is there a better way to manage all of my requirements which I'm totally unaware of? Like a better approach.
Looking for an explanation from an experienced person.
Thanks
Maybe what you want is creating a custom User model (or even keep the default one) and implement permissions on views/ressource. This can be implemented by groups, for instance, the public group, in which everyone is (can be public or even no groups) and the private group.
Once you can differentiate between your users, you can add a reference to a ressource and its subressource to the group (ForeignKey on the group) and filters necessary queryset laters on your view. On certain view, you can also restrict some endpoints, through permissions.
Another way would be to use Object Permissions.
Anyway here are the ressources :
https://www.django-rest-framework.org/api-guide/permissions/ (and django-guardian for object-level permission)
and
https://docs.djangoproject.com/en/4.0/topics/auth/default/#permissions-and-authorization
Also, you can take a look on how it is implemented on a opensource project like Sentry: https://github.com/getsentry/sentry/blob/master/src/sentry/api/endpoints/api_applications.py

What's the best way to model for various user access

I'm working on a rewrite of an app that has three categories of users
and I'm wondering about the best way to link them to the
authentication system:
In-House Staff,
Contractors,
Customers who interact via the app.
The in-house staff model doesn't store any address info. Contractor
and Customer have some common attributes (address, phone number,
email, etc.) but they have completely different relationships to the
rest of the system.
In the current version I have discrete models for each type and I
manually maintain a link to the equivalent of the user profile table.
But I don't have model inheritance available in the current system.
My question is, do you have any general advice for this and how would
you link it to the existing Auth system, or is there a 3rd party auth
system that you'd recommend I look at.
Thanks.
What you could do is make the user profile model polymorphic. So that whenever you create a user you can add one of the user profile "types" check out: https://github.com/specialunderwear/django-polymorphic-easymode
its documented nicely and always worked for me.

Contrib.auth for occasional inquiries?

I have developed an app for school management. Teachers and others roles have an account (django user) to control student attendance, Behaviors issues, etc.
Student is a model itself. Teacher is a User proxy.
At this moment I'm ready to extend the app to allow parents access to children information (is cruel, but for the sake of students ;)
I'm evaluating this alternatives:
Make a simple php app only for parent access (with dedicated db user
and views). It seems secure but I don't like php.
Add a password field to Student model and build my owner authentication system. I
don't like to have a 'django authenticated student'.
Integrating Student authentication with actual auth schema. I don't like this for
security reason, this means to check all views security, and this mix teachers and students.
Create a new django application only for students (and parents) with two databases, the 'school' database and a new one with auth for students
What is for you the best way to authenticate parents before to see children information?
Any suggestions are wellcome. Thanks a lot.
Ah! I think that is easy that parents forgot passwords.
School has over 800 students, app store more than 1milion of presence cheks for year, lot of Parents interviews, ...
Django contrib.auth models incorporate groups and permissions in addition to user accounts. In fact regular django users and django admin users share the same model only with different permissions.
Considering, the default authentication model (from a security standpoint) is already shared with much bigger consequences in case of a breach, I don't see a reason why you shouldn't have students authenticate with the same model and just assign them into a separate group and manage their permissions. Your security will not be worse or better from what it already is.
As far as development side goes, all you have to do is simply use decorators on the view handlers which are Teachers/Parents only to limit student access to them.
See: Permissions decorator
If for whatever reason this is unacceptible (although I cannot surmise a reason from what you said), you will have to do either:
Write your own middleware that injects itself into contrib.auth (reinvent the wheel)
Use an external system to verify permissions (completely orthogonal to Django's approach and will actually complicate your system much more than to use integrated contrib.auth)
Additional down side to doing your own authentication system is that you now have to worry about all kind of security issues that Django solves for you (like CSRF protection, SQL injection/escaping and many others). Not to mention bugs that can creep in vs. using tested and proven code/model provided by contrib.auth.

Should I ForeignKey to Django User or a Profile model?

I'm wondering what people's thoughts are on joining models directly to the auth.User object vs to the user's profile model.
I'm storing some different types of models which my user are adding in my app. App users will search for other users via criteria on these models.
On the one hand, I'm thinking that if I join straight to User then I won't need to do request.user.get_profile() each time I need to grab the User's records, and it doesn't presuppose that a User always has a profile (they do in my app at the mo, but still). This leaves the profile model as just containing the user's contact details.
On the other hand, I imagine I'll most likely need values from the Profile (eg name, location) when I'm looking up these other models.
No doubt either will work, so maybe it doesn't matter, but I just wondered what other people's thoughts were.
Thanks!
Ludo.
I would also recommend creating foreign-keys to the User model. It just makes your life simpler when working with the user object in the view, for one. So, you can do things like request.user.foo_set, etc. without having to go through the profile model.
In general: If you want to make your apps reusable, always create foreign keys to User model.
As you already said, in most cases you will need User as well as Profile instance, so to prevent multiple database queries, use cache.
If reusability isn't relevant, create foreign key to Profile and use select_related() to get User instance with single query.

Django - User profiles of different types

I have a Django application which allows different kinds of users: firms, administrators, external people etc. Of course all of this is easy to manage with the default authentication system and groups.
My problem is that users belonging to different groups will have different related information - for instance firms will need to provide some commercial information that does not make sense for private users. Hence I need to attach different kind of profiles, depending on the group. (In my application groups are mutually exclusive.)
Unfortunately, Django only allows a single model to be attached as a profile, and that model is declared in settings.AUTH_PROFILE_MODULE. Internally, that is retrieved by the User.get_profile() method, which basically just reads this value and performs some checks, for instance that the model actually exists.
I was thinking of subclassing User and overriding the get_profile() method, so that it returns a different model depending on the group.
Is there a simpler/cleaner way to manage different kind of profiles?
What I am proposing seems a little hack, considering that user profiles were introduced exactly to avoid having to subclass User.
Create a model with OneToOneField to User and related_name.
E. g.:
class Firm(models.Model):
user = models.OneToOneField(User, related_name='firm')
# other fields
class External(models.Model):
user = models.OneToOneField(User, related_name='external')
# other fields
Then you can check the existance of this attributes in user (if hasattr(request.user, 'firm')) and return proper instance. I'd put it in custom middleware, which would set request.user_profile for example.