Monday, May 28, 2018

Re: Authenticated users should only be able to see their own data

On 29/05/2018 11:44 AM, Mike Dewhirst wrote:
> On 29/05/2018 11:04 AM, Dylan Moreland wrote:
>> Hello,
>>
>> I'm building an employee performance tracker for my company, and I'd
>> like each employee to be able to view their own infractions (late to
>> a shift, missed punch, etc.) and no one else's, obviously. I plan to
>> use the built-in Django admin interface to allow HR to modify the
>> database as necessary, and I also want to build a frontend for
>> employees to access.

I also meant to say you don't need a separate Employee model. The
existing Django auth.user has what you need. You probably want a
user_profile model to carry 1:1 information not available in auth.user

The docs recommend that you create your own user by inheriting from
django.contrib.auth.models.AbstractUser and maybe that's what you are
doing with your Employee model. I think it is a good idea unless you you
are sure you won't need to.

https://docs.djangoproject.com/en/1.11/topics/auth/customizing/#extending-the-existing-user-model


>
> You write views to extract data from the database and render the
> result in a frontend template. Provided you force the users to
> authenticate, generally by decorating the views with @login_required,
> then the http request object Django gives you has the authenticated
> user as an attribute. ie., request.user is the employee object.
>
> If you then retrieve infraction data from the database keyed on
> request.user, that employee will only see his or her own infractions
> and no-one else's.
>
> There are other things you need to watch. For example, don't let
> employees access the admin (user.is_staff = False) unless you have
> taken care to prevent them seeing other data. It is more complex than
> doing it in your own views but it can be done.
>
> You might also think about warning users to logout after visiting
> their page because by default a Django session lasts two weeks. It is
> a bit problematic trying to force logout from the server.
>
> Good luck. I think you will enjoy the flexibility and power of Django.
>
>
>>
>> My models are currently set up as follows:
>>
>>     *_'Employee' model:_*
>>
>>     - first_name (CharField)
>>
>>     - last_name (CharField)
>>
>>     *_'InfractionType' model:_*
>>     - description (CharField)
>>
>>     *_'Infraction' model:_*
>>     - timestamp (DateTimeField)
>>     - employee (ForeignKey, Employee)
>>     - type (ForeignKey, InfractionType)
>>     - has_comment (Boolean) #true if employee has added an explanatory
>>     comment to our timecard system, false if they haven't
>>     - description (CharField)
>>
>>
>> I am also using the django.contrib.auth and django.contrib.admin
>> libraries and their corresponding database tables.
>>
>> How should I set up my templates such that each logged-in user has
>> access to only their own employee information? I get the sense that I
>> will need to add a one-to-one relationship between the User table and
>> Employee table, but I'm not sure if I'm on the right track.
>>
>> Also, I've been developing in Django for about three days now, so I'm
>> very new to all of this. I appreciate your patience and support.
>>
>>
>> Thanks so much for your help,
>> Dylan
>> --
>> You received this message because you are subscribed to the Google
>> Groups "Django users" group.
>> To unsubscribe from this group and stop receiving emails from it,
>> send an email to django-users+unsubscribe@googlegroups.com
>> <mailto:django-users+unsubscribe@googlegroups.com>.
>> To post to this group, send email to django-users@googlegroups.com
>> <mailto:django-users@googlegroups.com>.
>> Visit this group at https://groups.google.com/group/django-users.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/django-users/ba106eda-7a33-412f-ad90-c0fc8540a006%40googlegroups.com
>> <https://groups.google.com/d/msgid/django-users/ba106eda-7a33-412f-ad90-c0fc8540a006%40googlegroups.com?utm_medium=email&utm_source=footer>.
>>
>> For more options, visit https://groups.google.com/d/optout.
>

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/e92b1814-e6f0-706b-fa4a-ca9dba475923%40dewhirst.com.au.
For more options, visit https://groups.google.com/d/optout.

No comments:

Post a Comment