Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 4 years ago.
Improve this question
The first thing that I would like to say is that I have no previous experience with python and any framework python related. However, I have programming experience.
So, I want to create a REST API using python with frameworks django and djangorestframework. I have managed to create the database (using postgresql) and also managed to create the initial migration. However, I believe that that was the easiest part and I have some questions about the thing that I'm about to implement:
First I want to create an authentication system. I saw that djangorestframework it's able to manage authentication by itself but I was not able to make it run. Can you please guide me to some good tutorials/provide code samples and briefly explain?
After initial migration, I saw that django created some tables for authentication and session management by itself (auth_user, auth_user_groups, etc). Is there any way to use my own model for user? Also, i do believe that I wont need all the features that django offerrs (e.g auth_user_groups). Its there any way to remove those unwanted functionalities?
I was able to create an API endpoint (by following a tutorial) that returns some data (based on a model, a serializer and a view created by me). However, as I want to create more API endpoints I have also to create a serializer and view for each model of mine (which might take a while). Is there any way to create a generic serializer and a generic view method so I don't need to write a specific serializer and a view method (e.g I would like to GET models by /api/books/book/:id, where book its just a placeholder for any model)?
P.S. If this post lacks any informations please let me know in a comment and I will edit this post.
Okay, let's see:
Documentation is your best friend. This is especially true in case of Django which has great documentation. Generally, there are three ways to use authentication in Django:
Default User class (django.contrib.auth.user.models) just works out of the box.
You can extend it by creating other model (like Profile) and linking it via OneToOneField.
Alternatively, you can provide your own User class via subclassing (usually AbstractBaseUser) and registering it in Django's settings.
Finally, you can write completely custom backend.
For customization guide consult this article.
For the first part of the question see paragraph above. Regarding removing user groups: its probably possible (though I've never tried it), but I don't see much point. It has practically no overhead whatsoever while providing some useful stuff like staff/admin groups for Django's admin panel.
Absolutely there is a generic solution. Just use generic API views. Again, I'm linking documentation. In short, you want to use subclasses of GenericAPIView class.
For instance, let's say to want to list User objects under /users/ path:
url(r'^/users/', ListCreateAPIView.as_view(queryset=User.objects.all(), serializer_class=UserSerializer), name='user-list')
For your particular example you would use RetrieveAPIView. If you want to look it up with pk you don't even have to configure it.
Related
First sorry for my poor English.
I came from asp.net mvc. Now I use django with nanoboxio
In asp, I can create sections like below.
Create model and add it to dbcontext
Right click controller folder and create new controller with views.
Modify as you wish
For now, I know Django can create admin interface for your model. I try and happy with it. but i want to develop it.
I want to for example;
Create a post model.
Create a admin interface for it.
Copy generated admin interface controller and views to another app
Modify it
How can I do that?
Django's MVC is quite different to ASP.
Django's MVC pattern is less strict so you sort of combine the view and the controller in the views.py. However, if you want to change the Admin, the Django docs are quite nice here: docs.djangoproject.com
If you want to create a custom admin functionality the docs should give you a first idea and if you're planning to create a blog, I would advice you to use an existing plugin such as Zinnia. There, you can find the desired functionalities and modify them instead of building them from scratch.
Also, there are a couple of tutorials on how to build reusable apps and they usually include a detailed guideline how to implement admin functionalities there. Just look it up on google.
I hope that helps you!
I am a php programmer, I have built some REST based solutions in php. Now I am learning python/django. I want to make a REST based solution in Django ( only for knowledge purpose ). I do not want to use any of REST frameworks/toolkits as This project is more a exploring django/python say how they work with raw REST concept.
I searched on net, But examples/tutorial filled on already built solutions. I also checkout for request method based filtering. I am thinking of two approaches.
Either urls.py have way to check request method and transfer to respective method in views.py.
Or I can add a pre load hook/class which determine request method on application initialize, And called respective method so overriding urls.py behavior (my preferred method).
If anybody can suggest a django way to do this?
Update : I found some interesting comments on SO, like https://stackoverflow.com/a/20898410/1230744 AND https://stackoverflow.com/a/1732520/1230744. Need to check if they can have the solution, I am searching.
Well I get the answer of my questions finally from following link. It is possible through using Class based Views + serialization.
Restful routes and Django
Snippet links in side above link gave pretty much example to gave quite picture of how one can create a REST Api using only Django Core. Also I used serialize https://docs.djangoproject.com/en/dev/topics/serialization/ for Json encoding
( Now if anybody prefer, he can flag duplicate the question. ;) )
You can start from learning the code of this projects:
http://tastypieapi.org/ Tastypie
http://www.django-rest-framework.org/ Django REST framework
They are snadrd de facto for REST API for Django and their code could be a good starting point.
Also, please review this questions:
Creating a REST API for a Django application
Adding REST to Django
Django and Restful APIs
I'm learning Django framework and I'm trying to implement some social features / permissions for objects. What is the best solutions for such thing eg.:
We have some model (eg.: photo):
name_field
picture_field
owner_field
allowed_group_users_field
allowed_group_users_field <----- field where we will put gorup / users whose are able to see photo.
Now view which will handle showing pictures should use: "#user_passes_test" decorator which will check if requesting user is included in allowed_group_users_field.
And my question is:
Is it correct way to solve such thing or there are better solutions for that - maybe other decorator is more suitable or other way of implementation..?
Hello and welcome onboard!
I have a relatively new account also in stackoverflow but I have quite some experience with django.
The way i see it, you want to create groups like foreign keys one to many, to users who are allowed to see this.
Your solution with a decorator is pretty common and there is nice documentation here, https://docs.djangoproject.com/en/1.4/topics/auth/#limiting-access-to-logged-in-users-that-pass-a-test and an example for the kind of group you need, here https://djangosnippets.org/snippets/1703/.
So, all you have to do is to extend the current decorator with your own logic (if user belongs to specific group) and it will work.
I hope i answer your question!
I'm new to Django. Last night I worked hard on a view that would allow me to edit any of the entities in my current project; Chapters, Stories, and Worlds. In order to ensure that I know precisely which database object is being modified, I added a database entry to the tables 'edits' that stores the hash, the type of object being edited (eg. 'Chapter'), and the id of that object as found in the database. The hash is added to the form as a hidden input.
On the back-end, after the form has been submitted, I grab the hash and use it to find the related Edit item in the database. I then use this to find which object was initially being edited. This was done for two reasons:
I can know what object is truly being edited. If all form items have changed, there would be nothing to compare to (except URLs) to actually know which object is being edited.
Users should be unable to hack the front-end to do weird things like modify the wrong stories.
Today I discovered that Django has a generic view called update_object. This seems to handle a lot of things for me. But given that it doesn't automatically use the database to ensure that the correct object is being edited, or even determine which object is being edited, is this secure? surely there must be a simple way to hack it on the front end by modifying HTML elements.
Secondly, if this should be a concern, would you recommend that I keep my own edit view, or that I extend the update_object view, or some other solution?
Lastly, am I going about this the right way at all? Please correct me if I'm not thinking about solutions to this problem in the right way.
I don't feel that this is a question that requires code. It's more of a general question about the security of forms as they pertain to Django.
Thanks,
ParagonRG
Your problem of knowing which object they're editing is typically solved either by inspecting the URL or by a hidden form element that just has the database ID.
Before accepting any changes from a user form, you should be verifying that the user has permission to do whatever it is they're asking to be doing, and that the edits make sense. You'd normally do this with form validators and/or explicit checks in the view. This is a somewhat safer way of dealing with this problem, because it guarantees people aren't making DB changes they're not allowed to be making, whereas in your Edit object approach it's conceivable they could get around that.
If you take this approach, I don't see any reason why it's a problem that the user could be editing hidden ID fields to pretend to be editing a different object. They're just using a silly roundabout way to edit things when they could have just gone to a different edit link.
(Also: if you're using Django 1.3+, it's better to use the new class-based UpdateView rather than the function-based update_object.)
I am currently writing an application which I plan to sell as SaaS. Without giving away "secrets," I can say that it is basically a "document editing system" in which many users will be submitting documents.
The basic heirarchy is this:
Institution
Individual
Document
Sub-document
So each Individual should be able to BROWSE all documents that were submitted by anybody in their institution, but should only be able to EDIT documents that they created.
No individual should even be aware of the existence of another Institution--that should all be completely hidden.
I have written a Django/Python class that would facilitate this, but every document regarding authentication that I have read requires that I use the User object. Is this just a limitation of Django, or is there a way to do this?
If there is a way, how can I get my own "Individual" class details attached to the "request" objects so I can validate the things I should be showing the users?
What you're looking for is authorization, not authentication. Django's built-in authorization system is fairly crude, as you've discovered. You'll need something like django-authority if you want a more complete solution.
The auth module is typically used to cover authentication cases.
Gives you groups (Institutions), Users (Individuals) and permissions.
Using these features you can perform checking if a user is a member of a group or owns a doc before allowing them to see or edit the doc.
http://docs.djangoproject.com/en/dev/topics/auth/
If you need to go beyond the typical use case, supporting LDAP for example, then you can look at writing your own authentication backend.
http://docs.djangoproject.com/en/dev/topics/auth/#other-authentication-sources
In general, if you need to attach more information to the builtin User model, you would create new model which subclasses models.Model (not User), and identify it in settings as AUTH_PROFILE_MODULE. You can get the appropriate instance of your model from a user by calling user.get_profile(). (see http://docs.djangoproject.com/en/dev/topics/auth/#storing-additional-information-about-users).
This is generally useful for adding extra fields to User such as address, contact information, etc. While it would be possible to use this for your authentication needs, you'd most likely be better off using the built in groups, or a more comprehensive solution like django-authority as others have mentioned. I've included this answer only because it seems to be what you were asking for (a way to attach a class to User), but not really what you need (authorization).