Hi i'm developing an e-commerce site with Django, and have situations like
this :
- A user can execute different operations in different time-intervals if he
has the right privileges.
Ex : A user can edit only his products
Ex : A user can edit only his orders when he has bought the product.
The solution may seem straightforward you have a view and do these :
def some_view(request):
if not first_requirement_ok:
raise Error
if not second_requirement_ok:
raise Error
#all other requirements
.
.
.
.
In the past i developed a forum app and did the same thing as above. However
when put the app in production i saw that there were some security issues.
Some users were able to edit others posts and etc.
I think that time i need sth better and more dynamic. Do someone knows some
way to do things cooler ? Some pattern or way that will let me manage that
user privilage interaction easier.
What i think for now is to write lots of security decorators and use them. Sth
like that :
@is_user_owner
@did_he_buy_product
def some_view(request):
#do the operation
Another way i think about is to use the State Pattern (using the state
diagrams) and move that code somewhere else for more flexibility. For
example:
class SomeState:
@is_user_owner
@did_he_buy_product
def change_state(*args):
#do stuff
Does some of you manage that kind of big projects and how do you manage it ?
Any advices recommendations will be appreciated.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to
django-users+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---
