I'm using a custom user model and trying to add permission to users that will be able to manage (only) their business profile.
I have two models that I need to connect.
Business & User
I will have four levels of user permissions.
1. No permission
2. Employee
3. Manager
4. Owner (can own multiple businesses)
I will need to have control, not to only control the permissions in my views.py but also in templates where each user may see slightly different content, links etc
So the million dollar question is:
Option 1.
Do I just simply add the is_employee, is_manager and is_owner fields directly to the user model as M2M fields and just check when the user is logged in for the permission?
Option 2.
Technically, I can also add those three permission fields is_employee, is_manager and is_owner to the business model as M2M fields and check whether the user is authorized to access the business data.
Option 3.
Create some kind of middle service layer (manager) functionality that will connect my views and models to handle this?
Or perhaps there is some use of Django Permissions for something like this?
Related
So I wanted to create 2 signup options on the website. For example a student and teacher login methods. I want the form or model to extend and save it to the sqlite3 db. For example, if a student signs up the database would store a field isteacher = False and vise versa.
Also once they login is there a way to display two different dashboards based on the user?
Is there any guide or link to show me how to build this step by step? I have spent close to 8 hours figuring this out and i'm very close to giving up. Thanks for your time.
You don't need two sign up forms for such a thing if the students and teachers use the same credentials (e.g. username/email and password). Just simply add a selector for users to identify themselves. If they are not going to use same credentials, create a base view for common fields, then create separate signup views inheriting from that base view.
You need to extend User to add extra fields such as is_teacher (though I recommend you use CharField with choices so that you can add extra types of users in the future), there is a couple of ways of doing this explained elaborately in Django documentation, in your case setting up a custom user model via AbstractUser seems the best as I predict you will be extending that model further.
You can use UserPassesTestMixin or user_passes_test decorator to conditionally alter views for different types of users.
Let's say I am building a social networking website that has nothing do with admin and superuser. But I still have to include these fields while making custom user model. This is going to be a simple model that has user's profile information not that user is admin or superuser.
Can anyone explain why do we always need these fields to be there. Can we get rid of them and still create a Custom user model or do we always need them.
There is no constraint mentioned in the Django documentation that the AUTH_USER_MODEL specified should have is_superuser or is_staff flags. The minimum requirements for creating a custom user model is specified here
It is upto your business requirement to decide whether or not to follow them. But if your auth model does not have those flags, then it will not be possible for even you (the admin) to access the admin portal. So there is no harm in having the flag turned off for everyone.
If you have django.contrib.auth in your INSTALLED_APPS django will automatically create add, change, delete and view permissions to every model in your system (or any one you add later). These are stored in auth_permission.
In django doc, here is what we can read under Groups section:
django.contrib.auth.models.Group models are a generic way of categorizing users so you can apply permissions, or some other label, to those users. A user can belong to any number of groups.
A user in a group automatically has the permissions granted to that group. For example, if the group 'Site editors' has the permission can_edit_home_page, any user in that group will have that permission.
I've a group with no permission at all (call it NADA) and I've assign that group to a specific user (let's call him Pierre). Pierre can still connect and create, update, delete or view anything on my web interface.
How can I make it working? There's few or no doc on the web for native Django Permission.
I've read this nice publication
django-permission-apps-comparison.
I know I could install django-guardian, django-role-permissions or
django-rules...
I know we can manage access via middleware or decorator But since django IS creating these tables for us (user, groups, permissions and group_permissions)
I thought it was extremely simple to implement CRUD access to any model class!
Wrong?
Do I miss something?
Note: Working with Python3.6 and Django 2.1.3
Django permissions are simple. As far as I understand your question, you are trying to create a user with no permission and he should not see any entries on the Django admin.
First thing is to make sure the user is not marked as "superuser", the superuser sees everything no matter which group they are added in.
If he is not a superuser and is still able to see the model then you should make sure he is not part of multiple groups. If a user is in multiple groups then a union of all permissions is what is applied to them. This link will give you more details on different flags for a user https://djangobook.com/users-groups-permissions/. Let me know if this helps.
TL;DR I'd like to be able to disable certain models per-user in /admin view.
Specifically: I'm looking to make admin models invisible to some staff users, so that they can have a sort of customized dashboard. There's all sorts of fields that change how to present, search, query, etc. models based on whatever you want, but I can't find anything to allow me to determine whether or not to even show models on the /admin page without resorting to blacklisting individual permissions (of which there are hundreds), and I'd like to be able to make some models only available to superusers and not staff.
Any thoughts?
Thanks!
Just don't give them superuser rights. Superuser means they have all rights automatically, which isn't what you want.
Then add edit, add, delete rights for the models they are allowed to edit, add and delete. You can create a group that you give these rights to, then add the users to that group.
If a user doesn't have add, edit or delete rights to a model, the model isn't shown in the admin.
I have been asked to introduce an unusual case and I'm wondering how others would go about it.
I have users in my Django application. The model is a standard user model, authentication. etc. Each one of of these site users can add their own contacts to the system. However my new requirement is to allow their contacts to set a password (if they want to to) so that they can login to their status page (belonging to that user).
So my question is how would you do this? I already have the contact table (which belongs to one user), I'm thinking of adding in a password (optional) field, but then I'm unsure how to handle the authentication for this as they are not my users but members of my users (if that make sense).
One way would be to create another user model for contacts inheriting from AbstractBaseUser. And then creating custom auth backend that would look in both models to login user. Finaly you would have to distinguish between standard user and contact user before every action.
That is if contact user and standard user differ significantly in your application.
Or you could just create custom user in your application, that would contain is_contact attribute. This would be used for both types of users. You would set that as AUTH_USER_MODEL in settings and check before every action for the is_contact attribute to determine the outcome. You could return 403 for the contact user if he tries to access what he's not suppose to.
Or if you use permissions in your application, you could set the contact user's persmissions only to view statuses of the users that added him as a contact and nothing else.