I have extended user model in my project and need to update its field (last online) whenever user has authenticated. I use DRF and IsAuthenticated in permission classes, what is the best way to trigger update event?
Related
Let's say I am building a social networking website that has nothing do with admin and superuser. But I still have to include these fields while making custom user model. This is going to be a simple model that has user's profile information not that user is admin or superuser.
Can anyone explain why do we always need these fields to be there. Can we get rid of them and still create a Custom user model or do we always need them.
There is no constraint mentioned in the Django documentation that the AUTH_USER_MODEL specified should have is_superuser or is_staff flags. The minimum requirements for creating a custom user model is specified here
It is upto your business requirement to decide whether or not to follow them. But if your auth model does not have those flags, then it will not be possible for even you (the admin) to access the admin portal. So there is no harm in having the flag turned off for everyone.
In Django project, there is a default User model, because in the database, there is auth_user table:
So, when I create a the User model in models.py, whether I should inherit the django's User or inherit models.Model? Because I should use the permissions in my project.
EDIT
and, what's the Django's User model? if is the django.contrib.auth.models.AbstractUser?
How to custom permissions:https://docs.djangoproject.com/en/1.11/topics/auth/customizing/#custom-permissions. And in terms of editing the default User model, you can either extend the user model or custom the user model, but normally you should extend the user model because you don't need to also custom the authentication system, django already provide a default authentication system associate with the User model. But if the default authentication system or User model doesn't fit your need, you can also make your own User model and authentication system, check this for detail: https://docs.djangoproject.com/en/1.11/topics/auth/customizing/#substituting-a-custom-user-model
Is it possible to conditionally register or unregister models in django admin?
I want some models to appear in django admin, only if request satisfies some conditions. In my specific case I only need to check if the logged in user belongs to a particular group, and not show the model if the user (even if superuser) is not in the group. I can not use permissions here because, superusers can not be ruled out using permissions.
Or, is there a way to revoke permission from even superusers on model.
Permissions on a model can be managed dynamically in ModelAdmin.
Override the methods has_add_permission, has_change_permission and has_delete_permission.
class MyModelAdmin(admin.ModelAdmin):
def has_add_permission(self,request):
# if request satisfies conditions:
# return True
#else:
# return False
Same goes for other two methods. This works for superusers also.
If you revoke all three permissions MyModel will not be listed on admin site.
If you only require to hide model entry from admin site, simply override
get_model_perms method. You don't have to override permission methods.
def get_model_perms(self, request):
return {}
However, this method does not revoke permissions from the model. Even if the model is not listed on admin site, it can be accessed by entering url.
I've tried a couple of approaches locally, including overriding an AdminSite, but given the fact that all admin-related code is loaded when the app is initialized, the simplest approach would be to rely on permissions (and not give everyone superuser access).
I have been asked to introduce an unusual case and I'm wondering how others would go about it.
I have users in my Django application. The model is a standard user model, authentication. etc. Each one of of these site users can add their own contacts to the system. However my new requirement is to allow their contacts to set a password (if they want to to) so that they can login to their status page (belonging to that user).
So my question is how would you do this? I already have the contact table (which belongs to one user), I'm thinking of adding in a password (optional) field, but then I'm unsure how to handle the authentication for this as they are not my users but members of my users (if that make sense).
One way would be to create another user model for contacts inheriting from AbstractBaseUser. And then creating custom auth backend that would look in both models to login user. Finaly you would have to distinguish between standard user and contact user before every action.
That is if contact user and standard user differ significantly in your application.
Or you could just create custom user in your application, that would contain is_contact attribute. This would be used for both types of users. You would set that as AUTH_USER_MODEL in settings and check before every action for the is_contact attribute to determine the outcome. You could return 403 for the contact user if he tries to access what he's not suppose to.
Or if you use permissions in your application, you could set the contact user's persmissions only to view statuses of the users that added him as a contact and nothing else.
By default from project directory by running manage.py createsuperuser command I am able to create a superuser, but the .is_superuser flag is the default django flag to differ superuser or other user.
I don't want to use that because i am using that flag throughout the application to show settings menu. Instead, I added a field in my userprofile models, the field is .is_primary_user.
Is there any way to control that, so that if I run createsuperuser comment, it should update the .is_primary_user field by "1" in userprofile model?
Yes there is, you have to catch the signal of the post_save of the User model, and if the .is_superuser is changed, you also change the .is_primary_user.
Has Brian Neal pointed out, you should not use the .is_superuser flag in your application. It is meant to be used along with Django permission system (a superuser has permissions for everything) and/or Django admin.
EDIT: I haven't tested, but it should be something like this:
from django.db.models.signals import pre_save
from django.contrib.auth import User
# method for updating
def update_primary_user(sender, instance, **kwargs):
if instance.pk:
return
if instance.is_superuser and not instance.userprofile.is_primary_user:
instance.userprofile.is_primary_user = True
instance.userprofile.save()
# register the signal
pre_save.connect(update_primary_user, sender=User)
There are two options as I see it. One is on the post save signals for profile and user. The other is to override the profile save method. The later will only handle new users.
The post save signal for either the user model or the profile model can be used for updating the profile models is_primary_user. Then not only when you run the createsuperuser program can you update the profile accordingly, but if you give an existing user superuser rights, it will also update that users profile. The problem with using the user model signal is that the profile may not yet be created. You probably would need to catch signals for both models. One for if a user is updated (user model), and the other (profile model) for if the user is being created.
Another option is to override the profile save method. You could check the user.is_superuser that it is linked to and then update the is_primary_user field accordingly.
On the other hand, you maybe wanting to do this for only the first superuser which is created in which case you would first need to check if any superusers previously existed.
I agree with two other posters that it would be best not to use the is_superuser flag in this manner.