I am trying to restrict the groups populated for staff users, such that a user X( staff ) is able to view and edit only those groups which X is a member.
I am able to filter groups populated on admin/auth/group/ by registering the new class.
class RestrictGroupAdmin(GroupAdmin):
def get_queryset(self, request):
if request.user.is_superuser:
return super(RestrictGroupAdmin, self).get_queryset(request)
return request.user.groups.all()
With this approach I am able to filter out groups on admin/auth/group/, but unable to filter out the list of available groups in user edit admin page .
Is there a way to filter the available groups in user edit page?
Also, is the above approach to restrict groups is correct ?
Can we extend the same approach to users and permissions as well ?
PS: Django version 1.11.1
I want to create a system that has two type of user.
Normal users and coaches.
How can I separate users when they login in system.
I want to separate their dashboard after they logged in.
Should I create two model? one model for users and one model for coaches?
You can either use Django's built-in Groups feature, create a Coach group and check in your views if a user is part of that group. Or you extend AbstractUser by adding a boolean field is_coach (and set AUTH_USER_MODEL settings to your new User model).
Then you can check this flag in your views.
The more interesting question is if you want to store extra information (add extra functionality on the user level) for coach type users. If this is the case, you can make a so called Profile model Coach which you set in one-to-one relation with the User model (which should only serve authentication purposes). Then you can add extra fields in your profile model to store information relevant to coaches. The next question would be: what about students? Should students be able to enroll in courses?
I want to try setup a private website, where users can purchase bookings but only their own bookings can be viewed within the entire shop when logged in. Saleor seems to be the most complete ecommerce package for Python/Django.
Is there a way i can block access to using categories? As in, i can create a category 'Johnson Family' and only select certain users to have access to 'Johnson Family' categories, if i approve their email to have access. Then those users would then see 'products' or 'bookings' specifically for them within the shop.
Edit: Apologies, i should of ask 'how' and not 'if' of course it can be done in Django, but i wasn't sure 'how?'
As you have asked a generalized question, here is the generalized solution:
Is there a way i can block access to using categories?
Yes, you can. Django auth module has a concept of group where you can create a group and add users to this group. Then in your view you can check whether user belongs to the particular group or not. You can do something like:
from django.contrib.auth.models import User, Group
#create the group
group = Group(name='Johnson Family')
group.save()
# Add user to the group
user = User.objects.get(email='some#email.id')
user.groups.add(group)
# Call this method from your view to check if user belongs to a group
def is_member(user, group_name):
return user.groups.filter(name=group_name).exists()
Then those users would then see 'products' or 'bookings' specifically for them within the shop.
For this you can always filter the queryset to return the objects that belong to a specific user. e.g. (assuming Product and Booking model has a foreign key to user):
Product.objects.filter(user=some_user)
Booking.objects.filter(user=some_user)
A great greetings community
My question is related with the kind of manage users and the schema users in Django, In beginning I ask to you apologize just in case that my questions can will be too "newbies" or without sense, I am starting to related me with the Django Users schemas and their different possibilities of work in the projects.
I have the following situation.
I am building an application in which I will have three differents user types:
Medical
Patient
Physiotherapist
I am using the default Django authentication scheme (django.contrib.auth).
Initially, I did think in this scheme of entities in which the User table is the auth_user table in where Django save the users created:
I have the is_patient, is_medical and is_physiotherapist fields like boolean attributes in the User table.
Like a particular detail I understand that in the Django default model User is not possible modify or add attributes or fields.
This is an important and powerful reason to I cannot add the is_patient, is_medical and is_physiotherapist boolean fields in User table.
A classic recommendation is extend the User model with a Userprofile table in which I add fields or attributes to User Model through of OneToOne relationship. A basic sample is such as follow:
Is of this way that I get that my users in Django can have the field photo and upload one in a given moment ...
Taking advantage of the previous,
The following schema can be suited or can be an alternative for manage user roles (patient, medical and physiotherapist user types) ?
I will have relationships between:
User medical and user patients
user physiotherapist and user patients
and so between them and other tables ...
With this approach these relationships don't will be affected?
The different users will be saved between the Users and UserProfile table.
Is this a good practice in the scalability sense? My tables could be crash or my database?
In addition, I also have seen other alternatives such as:
Role Table/Model
I will have a role table/model independent or separate and that this can be related with the Django User model (One User can will have many roles by example)
This approach can be useful when I want store exclusive information about of a role in specia?
Django Permissions and Authorization
I ignore or unknown the granularity grade that let will me work. Of a single way I have been see that the permissions and authorizations system let will me work with create and edit and remove operations ....
Here, can I see the groups creation?
For example a medical group and allocate them permissions and linked this permissions to the users that compose the group ? Is this another good alternative?
This option seem more single although I don't know if an user could make some operations according to the group privileges that have ... I don't know if this thinking is correct/right
AUTH_USER_MODEL Creating a Custom User model
My requirements for patient, medical and physiotherapist users, require build a custom user model?
In this situation, especially if you want to store different infos for Patients, Medics and Physiotherapists you can create a Model for each and have a OneToOne field for each to the User model.
class Medic(models.Model):
user = models.OneToOneField(User, primary_key=True)
# other fields
class Physio(models.Model):
user = models.OneToOneField(User, primary_key=True)
# other fields
class Patient(models.Model):
user = models.OneToOneField(User, primary_key=True)
# other fields
This way you can give different permissions/roles implicitly in your application logic for each type of user (and still use the groups and permissions that Django offers if you need them for special cases, eg ChiefMedical...).
You will have to define some methods for your application logic like
def user_is_patient(user):
...
If you follow this path it is a good idea to have good tests to make sure that you don't get unexpected things like a user who is a Medic and a Physio...
Django lets you subclass the user model as well. Under the covers it would do the same thing as the code above, so it is probably better to do it explicitly as shown above (this way it is less probable that you access attributes that don't exist in that object!)
Taking advantage of the previous, The following schema can be suited or can be an alternative for manage user roles (patient, medical and physiotherapist user types) ?
The schema you show isn't great because it makes you store the information for all user types in the same table (and with the same fields). For example, Medics and Physios will have a blood type field type like Patients which will probably not be defined.
The different users will be saved between the Users and UserProfile table. Is this a good practice in the scalability sense? My tables could be crash or my database?
There should be no scalability problems with this solution (as long as you don't have millions new entries writes every day) and you can always optimise the database at a further point. However, you will have to make sure that your app doesn't accept 'forbidden' entries (e.g. users with no Medic, Physio or Patient profile)
Here, can I see the groups creation? For example a medical group and allocate them permissions and linked this permissions to the users that compose the group ? Is this another good alternative? This option seem more single although I don't know if an user could make some operations according to the group privileges that have ... I don't know if this thinking is correct/right
You can (should) use Django's permission system to give permissions to your users. You can use them to give different rights to users of the same type (for example Medics that have more permissions than others... or have groups for chief physios...)
Django lets you assign permissions to a group.
But I don't think groups can replace the custom models for each user, since you want to store information for them. Having custom models and groups would be redundant and make your app harder to maintain.
My requirements for patient, medical and physiotherapist users, require build a custom user model?
This option wouldn't be great (unless it is your only option) because your app won't be reusable and you might have problems with some packages as well.
You can create a custom User model or not, in any case, you could have three separate models for storing pertinent data, depending on whether the user is patient, medical, physiotherapist, or any combination of these.
If your permissions scheme is determined solely by the role (patient, medical, physiotherapist) then you don't need to use Django's permissions system, because you know the role(s) of any user and you can, in the worst scenario, hardcode authorization rules.
I gave a glance at question's comments and I view some issues:
()
I realized that your user model does not match with the original data model since having get_medical_profile, get_patient_profile and get_physiotherapist_profile functions inside user model, with that you are assuming that any user could have multiple profiles at the same time, which isn't reflected neither in your profile models (Medical, Patient and Physiotherapist) using OneToOneField nor in original data model of the question, it's an important thing about abstraction and class-responsibility. The requirement (according the model below) seems to say "one user can have only one profile".
So.. I think this can be solved in a straightforward and clean way, you don't need to involve in overall authentication esquema like groups and permissions or adding additional attributes to user model:
class UserProfile(models.Model):
user = models.OneToOneField(User)
# common fields shared by medical, patient and physiotherapist profiles
class MedicalUser(models.Model):
profile = models.OneToOneField(UserProfile)
# medical fields here
class PatientUser(models.Model):
profile = models.OneToOneField(UserProfile)
# patient fields here
class PhysiotherapistUser(models.Model):
profile = models.ForeignKey(UserProfile)
# patient fields here
As you see, you can have a profile which contains common fields shared by all profiles. and each profile has an specific model.
In addition, you can check if user is medical by this small function below, then if there is no an medical profile associated with profile then it will raise exception and it means it's a profile unspecified:
def is_medical_profile(profile):
try:
profile.medical_user
return True
except:
return False
You can also use it in your templates (as a custom template tag) in this way:
{% if profile | is_medical_profile %}
With this approach you don't need to setup AUTH_USER_MODEL
I hope this improves your solution.
Additional notes:
Just in case you decide to have a custom user model, setup settings.AUTH_USER_MODEL and use it for foreign keys to User.
On a piece of text of awesome book Two scoops of Django says:
From Django 1.5 onwards, the official preferred way to attach
ForeignKey, OneToOneField, or ManyToManyField to User
Therefore, your user profile model would change as follows:
from django.conf import settings
from django.db import models
class UserProfile(models.Model):
user = models.OneToOneField(settings.AUTH_USER_MODEL)
Yes, it looks a bit strange, but that's what the official Django docs advice.
#geoom #Ire #lorenzo-peña I 've created an user through Django admin site and I checked their attributes (is_medical, is_patient, is_physiotherapist) via python shell
In [6]: User.objects.filter(username='agarcial').values('is_medical','is_patient','is_physiotherapist')
Out[6]: [{'is_physiotherapist': True, 'is_patient': True, 'is_medical': True}]
For the moment in my views.py I am doing that an user sign in only when this be one of three user types (medical, patient or physiotherapist)
# Create your views here.
class ProfileView(LoginRequiredMixin, TemplateView):
template_name = 'profile.html'
def get_context_data(self, **kwargs):
self.request.session['Hi'] = True
context = super(ProfileView, self).get_context_data(**kwargs)
is_auth = False
name = None
# Check if in the request goes the user
user = self.request.user
# Check about of possible cases (For now is one profile)
if user.is_medical:
#if self.request.user.is_authenticated():
print (user.is_medical)
is_auth = True
profile=user.get_medical_profile()
#name = self.request.user.username
data = {
'is_auth':is_auth,
'profile':profile,
}
context.update({'userprofile':profile, 'data':data})
elif user.is_patient:
print (user.is_patient)
is_auth=True
profile=user.get_patient_profile()
data = {
'is_auth':is_auth,
'profile':profile,
}
context.update({'userprofile':profile,'data':data})
elif user.is_physiotherapist:
print (user.is_physiotherapist)
is_auth=True
profile=user.get_physiotherapist_profile()
data = {
'is_auth':is_auth,
'profile':profile,
}
context.update({'userprofile':profile,'data':data})
return context
def get_userprofile(self):
return self.request.user.userprofile
If I check the other possible combinations (User patient,medical and physiotherapist) this could work?
I think create groups for (Medicals, Patients, Physiotherapists) and binding users for the authorization topic, although I should review other things for authorization process such as django guardian for example?
How about this?
Hi im really a noob at django.
Can i ask if there is anyway to filter list by user group?
When creating a user at admin, there is also choice for creating groups. After assigning these user to certain groups, i have another model e.g. Staff where Staff information is provided and is linked to the user. So very Staff must be a user and also must be member of the group staff. I have already created a drop down menu at Staff Page for the list of users when creating a new Staff.
The problem is that i cant seem to figure out how the list of users shown at staff page can be filtered according to the user group and also assignment since it should be OnetoOne relation w/ the user. So users who been used or is already linked to a certain staff will not show in that list again when creating a new Staff.
Im thinking of using Staff.model.count()? to do that and == the user to Staff User Group. but where should i out in order to customize it? please help
You should write your own ModelAdmin, then unregister User and register User with UserAdmin with your custom behaviour. This way you can overwrite the queryset, forms etc.. Look at the ModelAdmin source code
class UserAdmin(admin.ModelAdmin):
# do stuff
admin.site.unregister(User)
admin.site.register(User, UserAdmin)