Hi Manfre, Tried subclassing the Manager but didn't know if overwriting get() and filter() would be enough. Thanx to your email I now realize it is :) .. while in the process I ended up making a extra failsafe net, with a tiny middleware tool I wrote:
http://www.gerardjp.com/2009/10/26/django-queryscreener-a-record-level-ownership-development-auditor/ :) Thanx again. Gerard. Manfre wrote: > Subclass Manager and make this the default manager for all owner > restricted models. Override filter() and get() to check for the > "owner" arg. Raise an error if it is not specified. Also set > use_for_related_fields = True for the manager to cover the reverse > relations. > > Regards, > Michael > > > On Oct 25, 7:28 am, Gerard <[email protected]> wrote: >> Hiya Tim, >> >> Thanx for the response. Thing is I already have queries running like this: >> >> Customer.objects.filter(user=request.user).order_by('company_name') >> >> The problem however is that I dont trust myself enough to never make a >> msitake to show the wrong data to the wrong user. All my models have a >> "owner" field, but if the queries are not using that there's unwanted data >> disclosure. >> >> I'm trying to figure out if it's possible to write a tiny piece of >> middleware that alarms me when a query is invoked without filtering on the >> owner field. >> >> And at least have it running during development. Would that be afeasible >> option? >> >> Thanx, >> >> Regards, >> >> Gerard. >> >> >> >> Tim Chase wrote: >>> Gerard wrote: >>>> Hi all, >>>> I'm working on a safe way to get users to only see there own records. I've >>>> been working on subclassing model.Manager and requiring a 'owner' parm for >>>> filter() or otherwise returning an emtpy query set .. just to failsafe my >>>> own view coding. >>>> Then I figured I could get records in my view via the user.whatever_objects >>>> like this: >>>> user = User.objects.get(username=request.user) >>>> customer_list = user.customers.all().order_by('company_name') >>>> But that would make two db connects. When growing in scale, could this >>>> eventually be a performance bottleneck? >>> This might be rewritable as >>> Customer.objects.filter(user=request.user).order_by('company_name') >>> or >>> request.user.customers.all().order_by('company_name') >>> Test each to see how many queries (not connections) are sent in >>> each case. >>> -tim >> -- >> self.url =www.gerardjp.com > > -- self.url = www.gerardjp.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
