R
R
Rrooom2014-08-16 00:44:34
Django
Rrooom, 2014-08-16 00:44:34

What's the best way to control a user's access to only their own data?

Suppose...
A synthetic example. We have users. Users have notebooks.

class Pad(Model):
   name = CharField()

The notebooks have entries:
class Post(Model):
   name = CharField()
   text = textField()
   pad = ForeignKey(Pad)

And there is a set of pictures for the records:
class Img(Model):
   img = ImageField()
   post = ForeignKey(Post)

How is it customary to control access in django?
With a snippet (yes, I put it in snippets), I immediately generate crud -ListView-DetailVIew-CreateView-UpdateView. But how nice to give access only to the owner?
You can override get_query_set. And for each view in it, query the user and filter the records by him. Too much code. And for the last one in the link tree - Img - in general, a super-long chain of access to the owner of the notebook, and it’s better not to look at what kind of request this turns the orm into.
You can add a user key to each model - then you can make a mixin to check for everyone at once, inheriting your cbv. (Or maybe there is a module that can automatically set the owner? Magic, but you never know.) Which is
better? How do you solve the problem?
It often happened to me that I simply forgot about this filtering until the tester kicked me. I want the most automagical way to forget about it, and everything was fine.
It seems that in jang this issue is not resolved by default. And by adding irrelevant tags, I hope someone will tell you how it is implemented in other frameworks.

Answer the question

In order to leave comments, you need to log in

2 answer(s)
A
Alexander, 2014-08-16
@syschel

Like it or not, there will be three requests everywhere. To the notebook, notes and her pictures. It is enough to give the notebook a connection to the "owner" of ForeignKey (User) and check the rights in the chain first for the rights of the notebook. And if you have enough rights, then make a request to the record and pictures.
If you want the rights of more than one user on a notebook. That is to make a separate model of rights and communicate through manitumani.
PS For feedback, you can use related_name

I
Ivan Soshnikov, 2014-08-17
@soshnikov

Google "django row level security" - there are examples and ready-made solutions.
But, in any case, you can’t do without checking for the owner.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question