REQ: Help with row-level perms and model (item, user) method problems.
Hi
I'm now doing serious (for me) work with Django (which I like a lot)
and have come up against a problem.
My application requires row-level permissions. I think I've got most
of it sorted out, but I'm having problems with templates and views.
My basis idea is this. Add a field
edit_groups = models.ManyToManyField(Group)
which tells us which group members can edit the object.
Then define a method
def is_editable_by(self, user):
if self.owner.pk == user.pk:
return True
if self.edit_groups.filter(user=user):
return True
return False
This allows me to determine if a user can edit the object.
Now for the problem. In the detail template for the object I'd like
to know if I can edit the object (so I can offer a link for doing
that). I don't see an easier and straightforward way of doing this,
particularly as I want to continue to use generic views.
The problem is that the request (with .user as an attribute) and the
item (with .is_editable_by as a method) meet only in the template, and
not before. This is, it seems to me, part of the architecture of
Django. For example, MIDDLEWARE_CLASSES and
TEMPLATE_CONTEXT_PROCESSORS are passed only the request object.
By the way, in the list view we'd like to tell the user which are the
items she can edit, so a single global won't do.
What would work is an 'attribute' of item, so we could write
{% if item.is_editable %}
but we have to know the user to make the calculation. The best I can
think of is something like
{% get_is_editable as myvar %}
{% if myvar %}
but that's not at all nice.
Here's a couple of related URLs. FIrst, a discussion in this group
Status of pre-object-level permissions
http://groups.google.com/group/django-users/browse_thread/thread/ad870c79b5d36f9a
Next, a clever hack
Django Admin Hack - Fields varying with user permissions
http://lukeplant.me.uk/blog.php?id=1107301634
referred to by this FAQ entry
http://docs.djangoproject.com/en/dev/faq/admin/#how-do-i-automatically-set-a-field-s-value-to-the-user-who-last-edited-the-object-in-the-admin
Does anyone have any ideas or suggestions? I'd like to do something
that was aligned with future Django developments.
Jonathan
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en
-~--~~~~--~~--~--~---
Done? Database -> Python objects -> JSON -> JavaScript 'class instances'
Hi Django can, of course, serialize database objects into JSON: http://docs.djangoproject.com/en/dev/topics/serialization/ I'd like to turn that JSON into JavaScript objects. I'd like, of course, a Formula object to be turned into an 'instance of the Formula class'. (The quotes are because JavaScript doesn't really have classes and instances.) Django can also, of course, serialize a whole database into JSON. A more ambitious task is to turn that JSON into a linked collection of database objects. Does this sound interesting? Has something like this been done already? -- Jonathan --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: Done? Database -> Python objects -> JSON -> JavaScript 'class instances'
Oops. Pressed the button too soon. > Django can also, of course, serialize a whole database into JSON. A > more ambitious task is to turn that JSON into a linked collection of > database objects. Should be JavaScript objects (of course). -- Jonathan --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: Done? Database -> Python objects -> JSON -> JavaScript 'class instances'
Hello Russell On Jul 16, 12:49 am, Russell Keith-Magee wrote: > Sure, this _could_ be done. You can write and install custom > serializer - you just need to work out exactly how a random database > object is realized as a JavaScript object. The existing serializers > should give you a reasonable idea of how to do this. Sorry, I wasn't clear enough. I'm thinking of using a standard serializer. So what's being sent is standard JSON. > Has it been done already? Not to my knowledge, but I won't claim to > have omniscient knowledge of the Django community. Google is your > friend. Yes, and I did look search before asking (apologies for not saying that). Didn't find anything. > Should it be done? I have a minor hesitation based around attack > vectors - when sending JSON, you're sending raw data, so the potential > for attacks is limited. However, if you're serializing objects with > the expectation that they will be executable as received, you've > opened up a door through which exploits could enter. Of course, > whether this is actually a problem depends very much on how you handle > the received objects. Caveat Emptor. Yes, that's a good point. > Also - keep in mind that from a Django perspective, a serializer is > only half the job. There is also the deserializer, for converting a > JavaScript object back into a database object. Of course, you may not > need this for your own bespoke purposes. Also a good point. The application I have in mind is a database that contains help information, and I want deliver it in large pieces (or even as one large piece) to a help widget that appears on a web page. If you're interested, here's an example of what I want to deliver http://www.mathtran.org/editor/ except that I want the help data to come from something like http://www.mathtran.org/formulas/ best regards Jonathan --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Moodle and Django - access to Moodle databases
Hi Anyone here interested in Moodle (the leading open source virtual learning environment, with a vibrant community and written in PHP)? I've just started a project, whose goal is to give Django access to Moodle databases. You can see it at http://bitbucket.org/jfine/django-moodle/ A similar message has been sent to the Moodle developers forum. -- Jonathan -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-us...@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
IP address and NetScaler application delivery device
I'm running a Django/Pinax website (www.mathtran.org) whose host wishes to move it to the NetScaler application delivery device. This will change the IP address from which the applications appear to come from (to the NetScaler device). The (real) client IP address is available in a HTTP header called X-Forwarded-For. I don't expect this to make any difference, but does any know for sure? Here's a URL for NetScaler: http://www.citrix.com/English/ps2/products/feature.asp?contentID=1683490 -- Jonathan -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-us...@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Re: how to cache django javascript message file ('/jsi18n/') with apache (production setup)
On Mar 5, 5:58 pm, "alain D." <[EMAIL PROTECTED]> wrote:
> Hi,
>
>If there a simple apache configuration that is know to make browser
> cache the javascript message file ('jsi18n') in a standard apache
> django production setup ?
[snip]
> To my django virtual host and then I get this headers in the reply :
> HTTP/1.1 200 OK
> Date: Wed, 05 Mar 2008 17:54:25 GMT
> Server: Apache
> Vary: Accept-Language,Cookie,Accept-Encoding
Thank you for sending clear and precise information. I think the
problem lies with the Vary: header. Are you sure you want to tell the
cache that the javascript depends on the cookie?
Hope this help.
--
Jonathan
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en
-~--~~~~--~~--~--~---
Re: Missing Documentation cross-reference to shortcuts ?
glopglop wrote: > A lookup on google shows that the page > http://www.djangoproject.com/documentation/shortcuts/ > isn't linked from anywhere on the documentation (and the site), and I > had to search it to find it. > > (see > http://www.google.com/search?hl=fr&c2coff=1&q=link%3Ahttp%3A%2F%2Fwww.djangoproject.com%2Fdocumentation%2Fshortcuts%2F&btnG=Rechercher&lr=) > ) > > > I don't know where it belongs to, but at least we could make it > available from the tutorial (where it's used first ?) > > I dont know how to check for orphans, but this may not be the only > page : maybe it could be automated as a test ? I had a similar problem with static_files - see http://code.djangoproject.com/ticket/5916 I've added this problem to that ticket. -- Jonathan --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
