Wednesday, September 23, 2015

Re: Django admin suitable for external users?

How technical are your users?
Not very technical, necessarily. They're normal end-users.

What are your security constraints?
We're in the medical industry, so security is a key consideration for us in general. I think the main concerns about Django admin specifically were that it encompasses so much functionality, we might wind up shooting ourselves in the foot by failing to lock something down properly. Also, there might be discoverable exploits since it's an open source product.

How much work can you do to make it "pretty"?  (Believe me, someone will ask.)
I believe the hope is that we wouldn't spend anymore time making it pretty than we would spend if we wrote our own custom HTML. We don't have strict style guidelines we would need to adhere to, except maybe for the header / footer.

Are there fields that you want to administer internally but don't want to expose to the users?
Yes, but I think(?) this can be tailored to the logged-in user.

Will your users object if you decide to move to a newer Django version and the interface changes/
I think it's possible they would, but perhaps not too much.

Thank you for the insights!


On Wednesday, September 23, 2015 at 4:50:28 PM UTC-4, ke1g wrote:
How technical are your users?
What are your security constraints?
How much work can you do to make it "pretty"?  (Believe me, someone will ask.)
Are there fields that you want to administer internally but don't want to expose to the users?
Will your users object if you decide to move to a newer Django version and the interface changes/

You can make it work, but in many instances it will save you less effort than you though (might even be harder).

A few custom views are pretty easy to roll out.

On Wed, Sep 23, 2015 at 4:00 PM, Joshua Pokotilow <jpoko...@gmail.com> wrote:
Hello! I just had a fairly lengthy conversation with my colleagues about whether or not Django admin is well-suited to external users outside our company. I took the position that for certain use-cases, exposing Django admin to third parties makes a lot of sense, given that the admin application has all kinds of features baked in that are well-suited to certain admin tasks (ACL, customizable templates, dynamically built CRUD forms, etc.). Unfortunately, I met with a lot of resistance on account of fears over ease of customizability, security, and technology lock-in. Furthermore, there was some concern that exposing Django admin to third-parties might send us off the beaten path, and that doing so could be an antipattern.

I would appreciate knowing how other developers feel on this subject, and would love to hear about how some larger companies that use Django (Instagram, Disqus) think things through.

Thanks.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/59231ea7-4bd1-41c2-97ef-f294a380bcb4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/b1e73edd-a4b5-440b-ac27-05e2ccfa4bae%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

No comments:

Post a Comment