Re: Can I just put user id in session for authorization purpose?
Hi Malcolm, Thanks for your clear explanation. I've already done the authorization function by myself, if you are interesting in it, you could refer to following coding. After analysising django's auth module, I just gave it up for some integration reason. However, I copied some useful function from that into my auth application. As of the current testing, it works well. +++ >>MODEL:( I just eliminate model's attributioin for saving the timing of >>reading) class Group(models.Model): group_id=models.CharField(_('Group ID'),max_length=8,unique=True) group_desc=models.CharField(_('Group Description'),max_length=30,unique=True) class View(models.Model): """Define which model can be accessed for updating or just viewing""" group=models.ForeignKey(Group,verbose_name=_ ('Group'),related_name='view') view_label=models.CharField(_('Group Views'),max_length=20) auth_type=models.CharField(_('Access Type'),max_length=1,choices=AUTH_TYPE) class Scope(models.Model): """Define in which scope(based on code) can be visited by certain user""" group=models.ForeignKey(Group,verbose_name=_ ('Group'),related_name='scope') code=models.ForeignKey(Code,verbose_name=_ ('Code'),related_name='scope') class User(models.Model): user_id=models.CharField(_('User ID'),max_length=8,unique=True) user_name=models.CharField(_('User Name'),max_length=30) group=models.ForeignKey(Group,verbose_name=_ ('Group'),related_name='user') birthday=models.DateField(_('Birthday')) email=models.EmailField(_('email')) password=models.CharField(_ ('Password'),max_length=80,editable=False,unique=True,default=make_random_password (length=60)) effective_date=models.DateField(_('Effective Date'),auto_now_add=True) last_login=models.DateTimeField(_('Last Login Date'),editable=False,default='1900-01-01') error_login=models.PositiveSmallIntegerField(_('Error Login'),editable=False,default='0') status=models.CharField(_ ('Status'),max_length=1,choices=STATUS_CHOICES) fav=models.CharField(_('My Favorite'),max_length=200,blank=True) >>LOG IN VIEW: def login(request,template='auths/login.html',url_after_login='/ welcome/'): if if_setlang(request):return setlang(request)#for language selection empty_form=LoginForm() if request.method=='POST': form=LoginForm(request.POST) if form.is_valid(): userid,password=request.POST['username'],request.POST ['password'] userdata=User.objects.filter(user_id__exact=userid) if userdata:#1.1 _today=datetime.date.today() for i in userdata: _status=i.status if i.check_password(password):#1.1 if password is correct i.last_login=_today i.save() if i.status=='S':#1.1.1 checking status first return render_to_response(template, {'form':empty_form,'error_msg':msg_suspend}) elif i.password_expired():#1.1.2 checking password expiration return render_to_response(template, {'form':empty_form,'error_msg':msg_expire}) else: i.error_login=0 i.save() request.session['user_id'] = userid request.session['scope']=scopeset(userid) write_log(request,'','Log In',log_level=1) #>>writing Log return HttpResponseRedirect (url_after_login) else:#1.2 password is incorrect i.error_login+=1 psw_times=TIMES_ERROR_LOGIN-i.error_login if i.error_login>=TIMES_ERROR_LOGIN: psw_times,i.status=0,'S' i.save() error_msg=msg_incorrect if psw_times!=0 else msg_suspend #msg_incorrect%(psw_times) return render_to_response(template, {'form':empty_form,'error_msg':error_msg}) else:#2 user doesn't exist in database return render_to_response(template, {'form':empty_form,"error_msg":msg_na}) return render_to_response(template, {'form':empty_form,'error_msg':msg_invalid}) else: return render_to_response(template,{'form':empty_form}) Regards, Zeal Hua --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~
Re: Can I just put user id in session for authorization purpose?
On Sun, 2009-04-05 at 06:27 -0700, Zeal wrote: > Django's auth is pretty good, however, I need some row-level > authorziation mechnism, like in which department and function that the > certain user could access, so my needs on authrization are pretty > different than default auth model. Thanks! I think you're misunderstanding something here, due to some lazy naming practices in Django's past. The "auth" in django.contrib.auth is for authentication, not authorization. It has all the utility pieces needed to authenticate a user and store any related user information in the session (the user object). It doesn't handle anything to do with authorisation based on that user object. So I was suggesting using the auth module to avoid needing to manually store the user_id value in any session objects and to handle the authentication portion in the natural flow of things. Authorisation is a separate issue. Regards, Malcolm --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: Can I just put user id in session for authorization purpose?
Django's auth is pretty good, however, I need some row-level authorziation mechnism, like in which department and function that the certain user could access, so my needs on authrization are pretty different than default auth model. Thanks! --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: Can I just put user id in session for authorization purpose?
On Fri, 2009-04-03 at 01:41 -0700, Zeal wrote: > I'm a newbie, I've been using Django to develop an application. The > entire application need to be based on an authorization mechnism. As > of my current programe, I just put user's id in session when they log > in, and there is a authorization decorater to judge whether a request > object include user id, is this safe enough? Is there some reason you can't use Django's django.contrib.auth application -- perhaps by writing your own authentication backend -- which will handle this sort of thing automatically for you? That will remove the need for you to worry about storing anything manually in the session and will make the user object available as an attribute on the request each time. > By the way, due to the special requirement, the authorization of end- > user should be based on several fields, like in which department or > unit the end-user could be visit. Hence, when user log in, his/her > authorized objects id(pk in model) will be saved in session, and then > every request if need to retrieve data, such authorized objects id > will be used as filter condition, like filter(id__in=[]), is this safe > and effective? It will work. The session value that the client side (browser) sees is only a key into the sessions table. It's randomly generated, so the chances of somebody guessing another user's active session are small (as in, it would take them a few centuries of guessing 1000 times per second). There's no actual session data sent to the client side -- all that is stored server-side in the django.contrib.session application (there are other ways to manage sessions, but that's how Django's out-of-the-box sessions work). Regards, Malcolm --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Can I just put user id in session for authorization purpose?
I'm a newbie, I've been using Django to develop an application. The entire application need to be based on an authorization mechnism. As of my current programe, I just put user's id in session when they log in, and there is a authorization decorater to judge whether a request object include user id, is this safe enough? By the way, due to the special requirement, the authorization of end- user should be based on several fields, like in which department or unit the end-user could be visit. Hence, when user log in, his/her authorized objects id(pk in model) will be saved in session, and then every request if need to retrieve data, such authorized objects id will be used as filter condition, like filter(id__in=[]), is this safe and effective? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---