I did find a nice sidewide middleware login system which takes care of one 
aspect of my 'problem'. http://www.djangosnippets.org/snippets/1158/

Not completely to my taste, because it (me?) requires some css file in 
PUBLIC_URLS. Figured I'd start on the manual @login_required for now to get 
some handson experience first

I might *bump* this message again later.

Regards,

Gerard.

Sam Lai wrote:
> 2009/8/21 Gerard <lijss...@gp-net.nl>:
>> Hi All,
>>
>> I'm working on an invoice system, currently deployed the single user version
>>  in house. Next one is gonna be a full blown multi user setup. Having
>> fairly good knowledge of security, I was wondering what would be best
>> practice in Django for data separation. So user A only sees his customer
>> data and not the data from user B.
>>
>> Some side notes:
>> - Since there's a good auth system in Django I would like to take full
>> advantage of that.
>> - User session info will be used so al app users see the same url. Thus not
>> http://example.com/userid/customers but http://example.com/customers
>> - Fixating security on record level, seems error prone, coding wise
>> - Fixating on database seems badly manageble in the long run, since there
>> will be a lot of users, but not an incredible amount of data per user.
>>
> 
> Interesting stuff; I'm interested in knowing what the best practices are too.
> 
> One thing I'm considering doing is overriding the default manager in
> each model so that the current user is considered when making queries.
> This makes it harder for you to accidentally return all user's data in
> the view.
> 
> Of course, you can still have the default manager in the model; just
> name it something else so you have to consciously use it.
> 
> > 


-- 
self.url = www.gerardjp.com

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to