Subclass Manager and make this the default manager for all owner
restricted models. Override filter() and get() to check for the
"owner" arg. Raise an error if it is not specified. Also set
use_for_related_fields = True for the manager to cover the reverse
relations.
Regards,
Michael
On Oct 25, 7:28 am, Gerard <lijss...@gp-net.nl> wrote:
> Hiya Tim,
>
> Thanx for the response. Thing is I already have queries running like this:
>
> Customer.objects.filter(user=request.user).order_by('company_name')
>
> The problem however is that I dont trust myself enough to never make a
> msitake to show the wrong data to the wrong user. All my models have a
> "owner" field, but if the queries are not using that there's unwanted data
> disclosure.
>
> I'm trying to figure out if it's possible to write a tiny piece of
> middleware that alarms me when a query is invoked without filtering on the
> owner field.
>
> And at least have it running during development. Would that be afeasible
> option?
>
> Thanx,
>
> Regards,
>
> Gerard.
>
>
>
> Tim Chase wrote:
> > Gerard wrote:
> >> Hi all,
>
> >> I'm working on a safe way to get users to only see there own records. I've
> >> been working on subclassing model.Manager and requiring a 'owner' parm for
> >> filter() or otherwise returning an emtpy query set .. just to failsafe my
> >> own view coding.
>
> >> Then I figured I could get records in my view via the user.whatever_objects
> >> like this:
>
> >> user = User.objects.get(username=request.user)
> >> customer_list = user.customers.all().order_by('company_name')
>
> >> But that would make two db connects. When growing in scale, could this
> >> eventually be a performance bottleneck?
>
> > This might be rewritable as
>
> > Customer.objects.filter(user=request.user).order_by('company_name')
>
> > or
>
> > request.user.customers.all().order_by('company_name')
>
> > Test each to see how many queries (not connections) are sent in
> > each case.
>
> > -tim
>
> --
> self.url =www.gerardjp.com
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to
django-users+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---
