tags:

views:

123

answers:

1
Q: 

Django: Completely custom auth question. Please help.

I'm creating a multiple-tenant application that won't use any of the standard Django Admin (except for internal use which will have access to all tenants... that's simple enough). I'm trying to create an authorization system of my own and I'm not interested in using the standard User model (or any built-in application's model). My application will have accounts, and each account will have administrators (had to use Administrator vs User for name-clash purposes). Those users will authenticate using my own completely custom system. Is this all wrong. Should/Can I still use Django's auth system in a multi-tennant situation which uses my own custom interface (like mentioned before I won't be allowing account holders to use the default Admin interface). Is there security implications in using my own system or do Django's standard security elements like session hijacking prevention protect me?

It seems to me that a lot of Django is built around the idea of using the Admin interface and not building multi-tenant SAAS software with your own Admin. Am I thinking of this all wrong?

+1  A: 

You definitely should use Django auth system, it still does 90% of what you need.

I've built what looks exactly like your scenarion in one project: corporate accounts, each with admin user and multiple regular users.

Here's model structure I used:

class Account(models.Model): # represents copporate customer
    admin = models.ForeignKey(User)
    # other fields ...

class UserProfile(models.Model):
    user = models.ForeignKey(User)
    account = models.ForeignKey(Account)

And some examples of enforcing authorization requirements on view level with custom decorators:

@account_access_required # request.user.get_profile().account == account
def account_page(request, account_id):
    # ...

@account_admin_required # request.user == account.admin
def account_users(request, account_id):
    # ...

We actually used subdomains for accounts, so there was no need for explicit account_id parameter.

It is very reasonable to use custom interface for account admins. Django admin interface is only intended for 100%-trusted users like system admininstators and internal support staff.

Alex Lebedev  2010-02-18 20:12:33
@Alex Lebedev How and where do you create the User object that the UserProfile is related to? Also, what attributes do you use of the User object (ie, it has lots of attributes available such as first_name, etc).
orokusaki  2010-02-19 03:18:06
`User` is taken from django auth system. Your questions are answered in its documentation: http://docs.djangoproject.com/en/1.1/topics/auth/#topics-auth
Alex Lebedev  2010-02-19 08:39:43

related questions

Django: Print url of view without hardcoding the url
Django Calendar Widget?
Can the HTTP version or headers affect the visual appearance of a web page?
Project design / FS layout for large django projects
Extending the User model with custom fields in Django
How to generate urls in django
Always including the user in the django template context
Screencasts for Django/Python?
Using Django time/date widgets in custom form
How do I add data to an existing model in Django?
Setup django with WSGI and apache
Altering database tables in Django
Django Templates and variable attributes.
Django ImageField core=False in newforms admin
How can I render a tree structure (recursive) using a django template?
Cleanest & Fastest server setup for Django
Unicode vs UTF-8 confusion in Python / Django?
Does Hostmonster support Django
Specifying a mySQL ENUM in a Django model
Represent Ordering in a Relational Database
updating an auto_now DateTimeField in a parent model w/ Django
Version track, automate DB schema changes with django
Learning Ruby on Rails any good for Grails?
What Hosting Service is best for Django applications?
Class views in Django