Re: auto admin for production
On Tue, Jun 3, 2008 at 11:54 AM, pihentagy <[EMAIL PROTECTED]> wrote: >> Currently the admin interface doesn't handle row-level permissions. A >> user can be granted to edit articles, but not restricted to only their >> own. I *believe* this is a feature that will be added in newforms-admin. > > Can anyone confirm that? If so, where can I find the docs? There isn't going to be any magical switch or option that you just turn on and suddenly these restrictions go into place. Instead, you'll have much more access to customize the lists of objects which are shown to individual users, by overriding methods which return the QuerySets used in the admin interface. There is no documentation at the moment because the code is still evolving. And to cut off the next few questions since I'm certain someone will ask them yet again: no, I don't know when it will merge into trunk; no, there is not an estimated date for it; no, there is not a timeline for it; yes, it will be sometime before Django 1.0. -- "Bureaucrat Conrad, you are technically correct -- the best kind of correct." --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: auto admin for production
On May 10, 1:25 am, Jeff Anderson <[EMAIL PROTECTED]> wrote: > pihentagy wrote: > Currently the admin interface doesn't handle row-level permissions. A > user can be granted to edit articles, but not restricted to only their > own. I *believe* this is a feature that will be added in newforms-admin. Can anyone confirm that? If so, where can I find the docs? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: auto admin for production
rcs_comp wrote: Jeff, Any chance you would be willing to post the code for your in-house ticketing system? I have need for a similar application. I'd have to ask my boss, but he'd probably allow it. I'll let you know off list. We wrote our own because we had some strange requirements for a ticket system. I did write a maintenance tracking system for my apartment complex. I'd be happy to post the code for that, but its very very simple, and a bit messy in some places. Thanks and not hard feelings if you can't. I'll let you know! Jeff Anderson signature.asc Description: OpenPGP digital signature
Re: auto admin for production
Jeff, Any chance you would be willing to post the code for your in-house ticketing system? I have need for a similar application. Thanks and not hard feelings if you can't. On May 9, 7:25 pm, Jeff Anderson <[EMAIL PROTECTED]> wrote: > pihentagy wrote: > > Hi all! > > > I come to here from a little symfony background (a framework, which > > try to borrow good things from django), and would like to have an > > overview how django stacks up. > > > I would like to ask, if the admin module can be used on a production > > server by registered users. > > The admin module can be used by registered users, yes.> What problems can > occur? > > (I assume every object references a user) > > The admin interface was designed for admins. As long as you keep the > access limited to trusted users, very few problems (security wise)> - > editing/deleting objects not belonging to user > > Currently the admin interface doesn't handle row-level permissions. A > user can be granted to edit articles, but not restricted to only their > own. I *believe* this is a feature that will be added in newforms-admin. > > > How these problems are solved in django? > > These problems are solved by writing your own views for your models. Its > really quite easy to do. We have an in-house ticket system done in > django, and I've tinkered with "person x in group y can edit these > tickets", "group z can edit tickets that are assigned to a certain > category", etc... We simply disabled access to the admin interface for > the less-privileged users, yet they can still edit certain objects at > the row-level with our custom views. > > It almost sounds like you are asking if the admin interface can just be > your whole site. That's a bad idea. > > Good Luck! > > Jeff Anderson > > signature.asc > 1KDownload --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: auto admin for production
I've been down this road and I will say that although you can modify the Admin to do everything you need - it actually turns out to be more complex that just writing your own CRUD (which newforms makes a delight). It's a shame in some ways - Admin is so nearly ready for this kind of thing that it's very tempting to try and use it but in any real world app your requirements will differ from Admin's in so many small ways that you will be fighting it all the way. I've got a site where registered users are using Admin in the way you describe but their requirements were simple. I'm working on a simple CMS and I'm going to use Admin initially but the minute I have to start doing anything complex I'm going to write my own 'admin'... On May 10, 8:52 pm, Doug B <[EMAIL PROTECTED]> wrote: > > Why is that a bad idea? > > If I mainly need CRUD operations it is natural to solve it with admin > > interface. > > Cannot these "security issues" if any eliminated, and use the admin > > interface for a whole site? (if it needs just CRUD). > > ->ADMIN<- Interface. It wasn't designed to be an entire site. If you > only need CRUD, it's relatively easy to do writing your own views. > Even if you could use the admin, I'm not sure it would be much > easier. Writing your own views is very easy in Django, especially if > you only need basic crud and can use the model form helpers. A simple > CRUD view could be 8-10 lines of code, plus a basic html template. > Permission checking can be done with reusable decorators. Personally > I fnd writing a view much simpler than trying to make the admin do > exactly what I want. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: auto admin for production
> Why is that a bad idea? > If I mainly need CRUD operations it is natural to solve it with admin > interface. > Cannot these "security issues" if any eliminated, and use the admin > interface for a whole site? (if it needs just CRUD). ->ADMIN<- Interface. It wasn't designed to be an entire site. If you only need CRUD, it's relatively easy to do writing your own views. Even if you could use the admin, I'm not sure it would be much easier. Writing your own views is very easy in Django, especially if you only need basic crud and can use the model form helpers. A simple CRUD view could be 8-10 lines of code, plus a basic html template. Permission checking can be done with reusable decorators. Personally I fnd writing a view much simpler than trying to make the admin do exactly what I want. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: auto admin for production
Jeff Anderson wrote: > pihentagy wrote: > > Hi all! > > > > I come to here from a little symfony background (a framework, which > > try to borrow good things from django), and would like to have an > > overview how django stacks up. > > > > I would like to ask, if the admin module can be used on a production > > server by registered users. > > > The admin module can be used by registered users, yes. > > What problems can occur? > > (I assume every object references a user) > > > The admin interface was designed for admins. As long as you keep the > access limited to trusted users, very few problems (security wise) A "registered user" is not neccesarily trusted... > > - editing/deleting objects not belonging to user > > > Currently the admin interface doesn't handle row-level permissions. A > user can be granted to edit articles, but not restricted to only their > own. I *believe* this is a feature that will be added in newforms-admin. > > > How these problems are solved in django? > > > These problems are solved by writing your own views for your models. Its > really quite easy to do. We have an in-house ticket system done in > django, and I've tinkered with "person x in group y can edit these > tickets", "group z can edit tickets that are assigned to a certain > category", etc... We simply disabled access to the admin interface for > the less-privileged users, yet they can still edit certain objects at > the row-level with our custom views. > > It almost sounds like you are asking if the admin interface can just be > your whole site. That's a bad idea. Why is that a bad idea? If I mainly need CRUD operations it is natural to solve it with admin interface. Cannot these "security issues" if any eliminated, and use the admin interface for a whole site? (if it needs just CRUD). thanks --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: auto admin for production
pihentagy wrote: Hi all! I come to here from a little symfony background (a framework, which try to borrow good things from django), and would like to have an overview how django stacks up. I would like to ask, if the admin module can be used on a production server by registered users. The admin module can be used by registered users, yes. What problems can occur? (I assume every object references a user) The admin interface was designed for admins. As long as you keep the access limited to trusted users, very few problems (security wise) - editing/deleting objects not belonging to user Currently the admin interface doesn't handle row-level permissions. A user can be granted to edit articles, but not restricted to only their own. I *believe* this is a feature that will be added in newforms-admin. How these problems are solved in django? These problems are solved by writing your own views for your models. Its really quite easy to do. We have an in-house ticket system done in django, and I've tinkered with "person x in group y can edit these tickets", "group z can edit tickets that are assigned to a certain category", etc... We simply disabled access to the admin interface for the less-privileged users, yet they can still edit certain objects at the row-level with our custom views. It almost sounds like you are asking if the admin interface can just be your whole site. That's a bad idea. Good Luck! Jeff Anderson signature.asc Description: OpenPGP digital signature
