subject:"Can I just put user id in session for authorization purpose\?"

Re: Can I just put user id in session for authorization purpose?

2009-04-06 Thread Zeal


Hi Malcolm,

Thanks for your clear explanation. I've already done the authorization
function by myself, if you are interesting in it, you could refer to
following coding. After analysising django's auth module, I just gave
it up for some integration reason. However, I copied some useful
function from that into my auth application. As of the current
testing, it works well.

+++
>>MODEL:( I just eliminate model's attributioin for saving the timing of 
>>reading)

class Group(models.Model):
  group_id=models.CharField(_('Group
ID'),max_length=8,unique=True)
  group_desc=models.CharField(_('Group
Description'),max_length=30,unique=True)

class View(models.Model):
  """Define which model can be accessed for updating or just
viewing"""
  group=models.ForeignKey(Group,verbose_name=_
('Group'),related_name='view')
  view_label=models.CharField(_('Group Views'),max_length=20)
  auth_type=models.CharField(_('Access
Type'),max_length=1,choices=AUTH_TYPE)

class Scope(models.Model):
  """Define in which scope(based on code) can be visited by
certain user"""
  group=models.ForeignKey(Group,verbose_name=_
('Group'),related_name='scope')
  code=models.ForeignKey(Code,verbose_name=_
('Code'),related_name='scope')

class User(models.Model):
  user_id=models.CharField(_('User ID'),max_length=8,unique=True)
  user_name=models.CharField(_('User Name'),max_length=30)
  group=models.ForeignKey(Group,verbose_name=_
('Group'),related_name='user')
  birthday=models.DateField(_('Birthday'))
  email=models.EmailField(_('email'))
  password=models.CharField(_
('Password'),max_length=80,editable=False,unique=True,default=make_random_password
(length=60))
  effective_date=models.DateField(_('Effective
Date'),auto_now_add=True)
  last_login=models.DateTimeField(_('Last Login
Date'),editable=False,default='1900-01-01')
  error_login=models.PositiveSmallIntegerField(_('Error
Login'),editable=False,default='0')
  status=models.CharField(_
('Status'),max_length=1,choices=STATUS_CHOICES)
  fav=models.CharField(_('My Favorite'),max_length=200,blank=True)

>>LOG IN VIEW:

def login(request,template='auths/login.html',url_after_login='/
welcome/'):
if if_setlang(request):return setlang(request)#for language
selection

empty_form=LoginForm()
if request.method=='POST':
form=LoginForm(request.POST)
if form.is_valid():
userid,password=request.POST['username'],request.POST
['password']
userdata=User.objects.filter(user_id__exact=userid)
if userdata:#1.1
_today=datetime.date.today()
for i in userdata:
_status=i.status
if i.check_password(password):#1.1 if password is
correct
i.last_login=_today
i.save()
if i.status=='S':#1.1.1  checking status first
return render_to_response(template,
{'form':empty_form,'error_msg':msg_suspend})
elif i.password_expired():#1.1.2 checking
password expiration
return render_to_response(template,
{'form':empty_form,'error_msg':msg_expire})
else:
i.error_login=0
i.save()
request.session['user_id'] = userid
request.session['scope']=scopeset(userid)
write_log(request,'','Log In',log_level=1)
#>>writing Log
return HttpResponseRedirect
(url_after_login)
else:#1.2 password is incorrect
i.error_login+=1
psw_times=TIMES_ERROR_LOGIN-i.error_login
if i.error_login>=TIMES_ERROR_LOGIN:
psw_times,i.status=0,'S'
i.save()
error_msg=msg_incorrect if psw_times!=0 else
msg_suspend #msg_incorrect%(psw_times)
return render_to_response(template,
{'form':empty_form,'error_msg':error_msg})
else:#2 user doesn't exist in database
return render_to_response(template,
{'form':empty_form,"error_msg":msg_na})
return render_to_response(template,
{'form':empty_form,'error_msg':msg_invalid})
else:
return render_to_response(template,{'form':empty_form})



Regards,

Zeal Hua

--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en
-~--~~~~--~

Re: Can I just put user id in session for authorization purpose?

2009-04-05 Thread Malcolm Tredinnick

On Sun, 2009-04-05 at 06:27 -0700, Zeal wrote:
> Django's auth is pretty good, however, I need some row-level
> authorziation mechnism, like in which department and function that the
> certain user could access, so my needs on authrization are pretty
> different than default auth model. Thanks!

I think you're misunderstanding something here, due to some lazy naming
practices in Django's past. The "auth" in django.contrib.auth is for
authentication, not authorization.

It has all the utility pieces needed to authenticate a user and store
any related user information in the session (the user object). It
doesn't handle anything to do with authorisation based on that user
object. So I was suggesting using the auth module to avoid needing to
manually store the user_id value in any session objects and to handle
the authentication portion in the natural flow of things.

Authorisation is a separate issue.

Regards,
Malcolm

--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en
-~--~~~~--~~--~--~---

Re: Can I just put user id in session for authorization purpose?

2009-04-05 Thread Zeal


Django's auth is pretty good, however, I need some row-level
authorziation mechnism, like in which department and function that the
certain user could access, so my needs on authrization are pretty
different than default auth model. Thanks!
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en
-~--~~~~--~~--~--~---

Re: Can I just put user id in session for authorization purpose?

2009-04-03 Thread Malcolm Tredinnick

On Fri, 2009-04-03 at 01:41 -0700, Zeal wrote:
> I'm a newbie, I've been using Django to develop an application. The
> entire application need to be based on an authorization mechnism. As
> of my current programe, I just put user's id in session when they log
> in, and there is a authorization decorater to judge whether a request
> object include user id, is this safe enough?

Is there some reason you can't use Django's django.contrib.auth
application -- perhaps by writing your own authentication backend --
which will handle this sort of thing automatically for you? That will
remove the need for you to worry about storing anything manually in the
session and will make the user object available as an attribute on the
request each time.

> By the way, due to the special requirement, the authorization of end-
> user should be based on several fields, like in which department or
> unit the end-user could be visit. Hence, when user log in, his/her
> authorized objects id(pk in model) will be saved in session, and then
> every request if need to retrieve data, such authorized objects id
> will be used as filter condition, like filter(id__in=[]), is this safe
> and effective?

It will work. The session value that the client side (browser) sees is
only a key into the sessions table. It's randomly generated, so the
chances of somebody guessing another user's active session are small (as
in, it would take them a few centuries of guessing 1000 times per
second). There's no actual session data sent to the client side -- all
that is stored server-side in the django.contrib.session application
(there are other ways to manage sessions, but that's how Django's
out-of-the-box sessions work).

Regards,
Malcolm

--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en
-~--~~~~--~~--~--~---

Can I just put user id in session for authorization purpose?

2009-04-03 Thread Zeal


I'm a newbie, I've been using Django to develop an application. The
entire application need to be based on an authorization mechnism. As
of my current programe, I just put user's id in session when they log
in, and there is a authorization decorater to judge whether a request
object include user id, is this safe enough?

By the way, due to the special requirement, the authorization of end-
user should be based on several fields, like in which department or
unit the end-user could be visit. Hence, when user log in, his/her
authorized objects id(pk in model) will be saved in session, and then
every request if need to retrieve data, such authorized objects id
will be used as filter condition, like filter(id__in=[]), is this safe
and effective?
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en
-~--~~~~--~~--~--~---

Re: Can I just put user id in session for authorization purpose?

Re: Can I just put user id in session for authorization purpose?

Re: Can I just put user id in session for authorization purpose?

Re: Can I just put user id in session for authorization purpose?

Can I just put user id in session for authorization purpose?

5 matches

Site Navigation

Mail list logo

Footer information