2009/8/21 Gerard <lijss...@gp-net.nl>: > > Hi All, > > I'm working on an invoice system, currently deployed the single user version > in house. Next one is gonna be a full blown multi user setup. Having > fairly good knowledge of security, I was wondering what would be best > practice in Django for data separation. So user A only sees his customer > data and not the data from user B. > > Some side notes: > - Since there's a good auth system in Django I would like to take full > advantage of that. > - User session info will be used so al app users see the same url. Thus not > http://example.com/userid/customers but http://example.com/customers > - Fixating security on record level, seems error prone, coding wise > - Fixating on database seems badly manageble in the long run, since there > will be a lot of users, but not an incredible amount of data per user. >
Interesting stuff; I'm interested in knowing what the best practices are too. One thing I'm considering doing is overriding the default manager in each model so that the current user is considered when making queries. This makes it harder for you to accidentally return all user's data in the view. Of course, you can still have the default manager in the model; just name it something else so you have to consciously use it. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
