Hi, I'm working on a big project at my work myself. We came to this problem last week (we did something to check it, but it was unmanagable). We wanted to move the check to the models. This is a little bit difficult because you basicly doesn't have the user object at in the __init__ function of your model. So I've written a small middleware which makes the request model available and handles permission denied. It rather simple at the moment. The __init__ function of our model calls a function which knows where to get the user object, and raises a permission denied exception when this function isn't returning True. The middleware picks up the exception and creates a permission denied page.
makka...@gmail.com wrote: > Hi i'm developing an e-commerce site with Django, and have situations like > this : > > - A user can execute different operations in different time-intervals if he > has the right privileges. > Ex : A user can edit only his products > Ex : A user can edit only his orders when he has bought the product. > > The solution may seem straightforward you have a view and do these : > > def some_view(request): > if not first_requirement_ok: > raise Error > if not second_requirement_ok: > raise Error > > #all other requirements > . > . > . > . > > In the past i developed a forum app and did the same thing as above. However > when put the app in production i saw that there were some security issues. > Some users were able to edit others posts and etc. > > I think that time i need sth better and more dynamic. Do someone knows some > way to do things cooler ? Some pattern or way that will let me manage that > user privilage interaction easier. > > What i think for now is to write lots of security decorators and use them. > Sth > like that : > > @is_user_owner > @did_he_buy_product > > def some_view(request): > #do the operation > > > Another way i think about is to use the State Pattern (using the state > diagrams) and move that code somewhere else for more flexibility. For > example: > > class SomeState: > > @is_user_owner > @did_he_buy_product > > def change_state(*args): > #do stuff > > > Does some of you manage that kind of big projects and how do you manage it ? > Any advices recommendations will be appreciated. > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
