On Monday 22 December 2008 12:18:13 pm Paul van der Linden wrote: > Hi, Hi thanks for the reply > I'm working on a big project at my work myself. > We came to this problem last week (we did something to check it, but it > was unmanagable). > We wanted to move the check to the models. This is a little bit > difficult because you basicly doesn't have the user object at in the > __init__ function of your model. So I've written a small middleware > which makes the request model available and handles permission denied. > It rather simple at the moment. The __init__ function of our model calls > a function which knows where to get the user object, and raises a > permission denied exception when this function isn't returning True. Can u explain that a little bit ? The __init__ trick ..
> The > middleware picks up the exception and creates a permission denied page. > That one is a good idea > makka...@gmail.com wrote: > > Hi i'm developing an e-commerce site with Django, and have situations > > like this : > > > > - A user can execute different operations in different time-intervals if > > he has the right privileges. > > Ex : A user can edit only his products > > Ex : A user can edit only his orders when he has bought the product. > > > > The solution may seem straightforward you have a view and do these : > > > > def some_view(request): > > if not first_requirement_ok: > > raise Error > > if not second_requirement_ok: > > raise Error > > > > #all other requirements > > . > > . > > . > > . > > > > In the past i developed a forum app and did the same thing as above. > > However when put the app in production i saw that there were some > > security issues. Some users were able to edit others posts and etc. > > > > I think that time i need sth better and more dynamic. Do someone knows > > some way to do things cooler ? Some pattern or way that will let me > > manage that user privilage interaction easier. > > > > What i think for now is to write lots of security decorators and use > > them. Sth like that : > > > > @is_user_owner > > @did_he_buy_product > > > > def some_view(request): > > #do the operation > > > > > > Another way i think about is to use the State Pattern (using the state > > diagrams) and move that code somewhere else for more flexibility. For > > example: > > > > class SomeState: > > > > @is_user_owner > > @did_he_buy_product > > > > def change_state(*args): > > #do stuff > > > > > > Does some of you manage that kind of big projects and how do you manage > > it ? Any advices recommendations will be appreciated. > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
