Hiya Tim,
Thanx for the response. Thing is I already have queries running like this:
Customer.objects.filter(user=request.user).order_by('company_name')
The problem however is that I dont trust myself enough to never make a
msitake to show the wrong data to the wrong user. All my models have a
"owner" field, but if the queries are not using that there's unwanted data
disclosure.
I'm trying to figure out if it's possible to write a tiny piece of
middleware that alarms me when a query is invoked without filtering on the
owner field.
And at least have it running during development. Would that be afeasible option?
Thanx,
Regards,
Gerard.
Tim Chase wrote:
> Gerard wrote:
>> Hi all,
>>
>> I'm working on a safe way to get users to only see there own records. I've
>> been working on subclassing model.Manager and requiring a 'owner' parm for
>> filter() or otherwise returning an emtpy query set .. just to failsafe my
>> own view coding.
>>
>> Then I figured I could get records in my view via the user.whatever_objects
>> like this:
>>
>> user = User.objects.get(username=request.user)
>> customer_list = user.customers.all().order_by('company_name')
>>
>> But that would make two db connects. When growing in scale, could this
>> eventually be a performance bottleneck?
>
> This might be rewritable as
>
> Customer.objects.filter(user=request.user).order_by('company_name')
>
> or
>
> request.user.customers.all().order_by('company_name')
>
> Test each to see how many queries (not connections) are sent in
> each case.
>
> -tim
>
>
>
> >
--
self.url = www.gerardjp.com
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to
django-users+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---
