> 1. Do I have to create many-to-many relationships and before serving a page
> make sure the user making the request is "permitted" to see it?
that's how i've done this in the past. it's not too much burden.
in my case, i had several image 'banks', and a user could have access
to one or more, so there was a many-to-many between the user and bank
models. in addition, the user could be on a single bank at a time
(but could easily hop from one to the other), so i chose to store the
bank ID in the session. to make it easier, i wrote a decorator
similar that added a 'bank' field to the request, something like this
(from failing memory):
request.bank = get_object_or_404 (Bank, user=request.user,
pk=request.session['bank_id'])
that way, if a user somehow modified his session to point to a bank he
doesn't have access to, he would get a 404.
then, in any view that included a picture id, instead of doing the usual:
@login_required
def showpicture (request, pict_id):
picture = get_object_or_404 (Picture, pk=pict_id)
......
i did like:
@login_required
@bank_required
def showpicture (request, pict_id):
picture = get_object_or_404 (Picture, bank=request.bank, pk=pict_id)
....
with the same "404 if not allowed" result
--
Javier
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
No comments:
Post a Comment