I have several notifications that can be sent out from my Django application for users. These users are managed with the django.contrib.auth app.
I need to keep track for each whether the user has specified he/she wants to get that notification.
Where should I save this information?
I was going to create my own custom table but I've seen perhaps I can save that information somewhere in the auth module?
User Profiles are a good way to go.
https://docs.djangoproject.com/en/dev/topics/auth/#storing-additional-information-about-users
Set up a model with a OneToOneField to your User object as described and you have easy access to an arbitrary table of extra information.
PS: Heed the note about the fact that profiles are not automatically created. There is an example about how to use a Signal to automatically create one whenever a User is created.
Related
I want to be able to allow certain staff users the rights to add other users and staff but what seems weird to me is that 1) a staff member can just change their own privileges to superuser or just make a new user and grant superuser privileges to them. 2) delete a superuser or revoke their superuser status
Some staff users should be able to modify/create/delete users but they should not be able to delete super users nor assign permissions to themselves or other users that they do not have the permission themselves.
This has always been logic I have incorporated into my user systems that I've written in PHP and I was just wondering if there was a way to change these settings in Django as I really like Python/Django (I'm just beginning to learn it) and can see myself migrating away from PHP. But part of the beauty for me lied in the admin panel and if that is something that cannot be changed, that's kind of cringe-worthy.
It reminds me of a restaurant POS system that I used to use when I was a GM. As the GM, I had powers that shift managers did not have. However, the shift managers could add a fingerprint to my profile (theirs) and then just log in as me and do anything they wanted to. I always felt this was a severe security breach and even took disciplinary action on an employee for doing this. It also allowed the shift managers to create new employees with titles that were above theirs which created the same problem as they could just create a new GM or Area Manager, login, do whatever they wanted, and see all kinds of things that they shouldn't (like their colleagues' salaries), and then hide (not delete) the user. (this is how he got caught)
If anyone has a fix or any ideas and suggestions, I'd love to hear them and keep learning this exciting new language. Thanks in advance!
Django admin is a basic CRUD system, it is not recommended to use in that way. Django views (your custom views) give you more power to control the process.
First of all, Django Permissions might be a good start point. Create Groups for user types and assign desired permissions for each group. Do not give permission for non-superusers to change group or permissions.
Second thing is using Django Signals to check data before saving it. For example, a pre_save signal for User creation can be used to check if is_superuser, is_staff values of the user are set by non-superuser. You can add added_by value to the user model and verify your checks using this value.
Also, using custom forms for Django admin is also possible and might be the simplest solution for it. Just make a custom form for creating and editing users and verify changes in the form directly before allowing the view to save anything. It is also possible to inform user that they don't have access for changes they made and also notify the management about the attempt.
(amazing, I have not found such a question yet!)
I deleted part of my users in the db, and accidentally also the AnonymousUser-instance.
How do I restore him? (well... him or her, for the sake of political correctness :-P)
I do need an instance of him in the db, right? (so far, by quickly browsing my site, I have not run into issues). What would be the problems without him, by the way?
But there is no AnonymousUser.objects-manager to create one. And save() is not implemeted anyway, like the docs say. So do I drop the users table and migrate? Will it help and/or can I proceed differently?
Thanks a lot :)
Anonymous user is an instance of django.contrib.auth.models.AnonymousUser and is created on the fly when the auth backend does not found any authenticated user in session and it is not stored in the database, hence save is not implemented on this and id is always None as the doc states.
Update after comment
django-userena uses django-guardian to manage per object permissions, and django-guardian will create this user automatically listening to signals.post_migrate signal. So simply run migrate command and you should have your so called anonymous user back (This is not an instance of django.contrib.auth.models.AnonymousUser it is an actual user instance of your user model).
You can disable this behavior altogether depending on your needs, check django-guardian docs.
Django has an authentication and authorization scheme baked in ('django.contrib.auth') as well as modelforms to generate forms for easy input of data into the database.
I'd like to be able to record who created a record, leveraging django.contrib.auth, with the explicit purpose of limiting editing of that same record to just that user and/or people with an "edit" permission. I know that I could use the #user_passes_test decorator to restrict access to editing my record in some fashion, but I don't know what I would compare the request.user.name to in order to determine if the current user originally created that record.
How much of this do I need to roll on my own? Do I need to capture the name author, save it to the model, and then read it - or is there something already in the framework that would do this for me?
And, if I was to attempt to save the author in a field, how would I go about doing that in such a way as to not let the user edit their own credentials?
There are a couple of apps to do something similar, please check https://www.djangopackages.com/grids/g/model-audit/
About the last questions, to prevent the user not to edit its own credentials, you can mark the field with editable=False so it wont appear in the admin or ModelForms.
So I want to keep track of about 100 employees but only five of them should be able to log in into the backend (the rest starts with no loginpossibilities at all) what's the best way to solve that problem ?
I thought of an EmployeeModel that has a 1to1-relation to an abstractBaseUser but is that the way to go or is there something easier ?
~Max
Why not make use of Django 1.5's new customisable User model and model each employee as a user with an extended profile:
In Django 1.5, you can now use your own model as the store for user-related data. If your project needs a username with more than 30 characters, or if you want to store user’s names in a format other than first name/last name, or you want to put custom profile information onto your User object, you can now do so.
By making each employee a "user", you have the balance of being able to control their ability to login (using is_staff) as well as being able to add as much employee profile information that you need.
Why not just have FK from employee to user if an employee has an attached account?
Don't go for over customisation as this can be easily achieved easily using the built-in tools. Make the login_page require a permission suppose say "can login". And just make these 5 users have those permission. So rest will automatically get a permission denied response when trying to login.
I've recently started using Pushover.net, I've done some searching and can't find any examples of it being integrated with a django project.
Since i can't find any examples I've decided it would be fun to try myself. What I'm interested in is how you would suggest I do it. I want the actual pushover part as decoupled a possible, hence doing it asas an app.
What I'm not entirely sure on how to approach is the user authorization. The idea being a user enters their pushover user key and its saved in a user profile model using django's AUTH_PROFILE_MODULE with some functions such as has_pushover but obviously I'd like some security so the user keys aren't stored in plaintext. What do people suggest for this?
Is there some inbuilt django security I can use?
In the past when I've needed to encrypt Django fields I used the encrypted fields available in django-fields. You could use one of these on your UserProfile model and define a has_pushover() method on the model which basically returns whether the pushover token field is None or not.
I'm guessing because you're talking about storing each user's Pushover token you are wanting to build an app for pushing arbitrary notifications to your website's users? This is in contrast to having the website just push notifications to yourself for site events.