Re: Advanced Permissions and States
makka...@gmail.com wrote: >> I'm working on a big project at my work myself. >> We came to this problem last week (we did something to check it, but it >> was unmanagable). >> We wanted to move the check to the models. This is a little bit >> difficult because you basicly doesn't have the user object at in the >> __init__ function of your model. So I've written a small middleware >> which makes the request model available and handles permission denied. >> It rather simple at the moment. The __init__ function of our model calls >> a function which knows where to get the user object, and raises a >> permission denied exception when this function isn't returning True. >> > Can u explain that a little bit ? The __init__ trick .. > > The __init__ function of the model does something like this: if not permission.hasPermission(): raise permission.PermissionsError() The hasPermission function can be any function which accepts any arguments, just what you define ofcourse. The hasPermission function gets the user object and does the check which is needed, returns False when the user hasn't permission, return True when the user has permission. When you store the request object in your middleware, please make it thread-safe (look at transaction middleware and module of django for an example). >> The >> middleware picks up the exception and creates a permission denied page. >> >> > That one is a good idea > > Thanks, the middleware has the function process_exception which checks for the PermissionsError Exception, and returns a HttpResponse with the error page if it encounters that permission, otherwise it returns None. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: Advanced Permissions and States
On Monday 22 December 2008 12:18:13 pm Paul van der Linden wrote: > Hi, Hi thanks for the reply > I'm working on a big project at my work myself. > We came to this problem last week (we did something to check it, but it > was unmanagable). > We wanted to move the check to the models. This is a little bit > difficult because you basicly doesn't have the user object at in the > __init__ function of your model. So I've written a small middleware > which makes the request model available and handles permission denied. > It rather simple at the moment. The __init__ function of our model calls > a function which knows where to get the user object, and raises a > permission denied exception when this function isn't returning True. Can u explain that a little bit ? The __init__ trick .. > The > middleware picks up the exception and creates a permission denied page. > That one is a good idea > makka...@gmail.com wrote: > > Hi i'm developing an e-commerce site with Django, and have situations > > like this : > > > > - A user can execute different operations in different time-intervals if > > he has the right privileges. > > Ex : A user can edit only his products > > Ex : A user can edit only his orders when he has bought the product. > > > > The solution may seem straightforward you have a view and do these : > > > > def some_view(request): > > if not first_requirement_ok: > > raise Error > > if not second_requirement_ok: > > raise Error > > > > #all other requirements > > . > > . > > . > > . > > > > In the past i developed a forum app and did the same thing as above. > > However when put the app in production i saw that there were some > > security issues. Some users were able to edit others posts and etc. > > > > I think that time i need sth better and more dynamic. Do someone knows > > some way to do things cooler ? Some pattern or way that will let me > > manage that user privilage interaction easier. > > > > What i think for now is to write lots of security decorators and use > > them. Sth like that : > > > > @is_user_owner > > @did_he_buy_product > > > > def some_view(request): > > #do the operation > > > > > > Another way i think about is to use the State Pattern (using the state > > diagrams) and move that code somewhere else for more flexibility. For > > example: > > > > class SomeState: > > > > @is_user_owner > > @did_he_buy_product > > > > def change_state(*args): > > #do stuff > > > > > > Does some of you manage that kind of big projects and how do you manage > > it ? Any advices recommendations will be appreciated. > > --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: Advanced Permissions and States
Hi, I'm working on a big project at my work myself. We came to this problem last week (we did something to check it, but it was unmanagable). We wanted to move the check to the models. This is a little bit difficult because you basicly doesn't have the user object at in the __init__ function of your model. So I've written a small middleware which makes the request model available and handles permission denied. It rather simple at the moment. The __init__ function of our model calls a function which knows where to get the user object, and raises a permission denied exception when this function isn't returning True. The middleware picks up the exception and creates a permission denied page. makka...@gmail.com wrote: > Hi i'm developing an e-commerce site with Django, and have situations like > this : > > - A user can execute different operations in different time-intervals if he > has the right privileges. > Ex : A user can edit only his products > Ex : A user can edit only his orders when he has bought the product. > > The solution may seem straightforward you have a view and do these : > > def some_view(request): > if not first_requirement_ok: > raise Error > if not second_requirement_ok: > raise Error > > #all other requirements > . > . > . > . > > In the past i developed a forum app and did the same thing as above. However > when put the app in production i saw that there were some security issues. > Some users were able to edit others posts and etc. > > I think that time i need sth better and more dynamic. Do someone knows some > way to do things cooler ? Some pattern or way that will let me manage that > user privilage interaction easier. > > What i think for now is to write lots of security decorators and use them. > Sth > like that : > > @is_user_owner > @did_he_buy_product > > def some_view(request): > #do the operation > > > Another way i think about is to use the State Pattern (using the state > diagrams) and move that code somewhere else for more flexibility. For > example: > > class SomeState: > > @is_user_owner > @did_he_buy_product > > def change_state(*args): > #do stuff > > > Does some of you manage that kind of big projects and how do you manage it ? > Any advices recommendations will be appreciated. > > > > --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Advanced Permissions and States
Hi i'm developing an e-commerce site with Django, and have situations like this : - A user can execute different operations in different time-intervals if he has the right privileges. Ex : A user can edit only his products Ex : A user can edit only his orders when he has bought the product. The solution may seem straightforward you have a view and do these : def some_view(request): if not first_requirement_ok: raise Error if not second_requirement_ok: raise Error #all other requirements . . . . In the past i developed a forum app and did the same thing as above. However when put the app in production i saw that there were some security issues. Some users were able to edit others posts and etc. I think that time i need sth better and more dynamic. Do someone knows some way to do things cooler ? Some pattern or way that will let me manage that user privilage interaction easier. What i think for now is to write lots of security decorators and use them. Sth like that : @is_user_owner @did_he_buy_product def some_view(request): #do the operation Another way i think about is to use the State Pattern (using the state diagrams) and move that code somewhere else for more flexibility. For example: class SomeState: @is_user_owner @did_he_buy_product def change_state(*args): #do stuff Does some of you manage that kind of big projects and how do you manage it ? Any advices recommendations will be appreciated. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
