On Mon, May 25, 2009 at 8:25 PM, Sam Kuper <sampabloku...@googlemail.com>wrote:
> 2009/5/26 Alex Gaynor <alex.gay...@gmail.com> > >> On Mon, May 25, 2009 at 7:51 PM, Sam Kuper >> <sampabloku...@googlemail.com>wrote: >> >>> Suppose you were re-writing Facebook in Django. >>> >>> Would you handle the complex profile and privacy settings pages by: >>> >>> A) exposing the relevant admin pages to users, with careful auth to stop >>> users from being able to access admin pages they shouldn't be able to. >>> Obviously this would require much custom templating in order to achieve the >>> desired visual appearance (instead of the default Django admin appearance), >>> but it would have the advantage of not requiring new views and forms to be >>> written. >>> >>> B) creating forms and views as needed for the profile and privacy >>> settings, keeping the users out of the admin app entirely, and reserving the >>> latter only for Facebook staff. >>> [...] >>> >> >> B). The admin is designed really for use with fully trusted >> administrators only, the extra hooks that have been placed in for more find >> grained control notwithstanding. >> > > Thanks Alex. It sounds like your reason for choosing B is based on security > concerns - specifically that authorisation within the admin may not be as > strong as authorisation that prevents users from accessing the admin. Is > that correct? If so, is this the case because the former involves only one > layer of security (user must be authorised in order to access specific admin > functionality) whereas the latter involves two layers (same as above AND > user must be authorised to use the admin at all)? > > Thanks for your help, > > Sam > > PS. If anyone else also has opinions about this, I'd be glad to hear them! > > > > > It's not even an authorisation issue, it's that I'd be overiding nearly every method to make sure the behavior was what I wanted, and then I'd replace all the templates since I want everything the user sees to be similarly themed, and at this point I've already rewritten a ton of code. Alex -- "I disapprove of what you say, but I will defend to the death your right to say it." --Voltaire "The people's good is the highest law."--Cicero --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
