Saturday, March 28, 2020

RE: Question about Guest users and AnonymousUser best practices

First an apology for top-posting. Blame my stupid phone.

I like django-auth and group permissions to segregate functionality and hide/reveal stuff.

I also like your notion of auto-creation of a fresh user.

I think it might be worthwhile doing a Django 3rd party app which plugs into the existing auth system and which offers ...

1. Register as guest user or

2. Let us create a temporary username and password for you

In either case the same group membership would be assigned as appropriate.

You could inform the user that the created account and all records involved will be deleted after x days/weeks if they fail to enter a valid email or if they fail to respond to a "Confirm" email.

This approach pre-supposes you already use group membership to control things. My projects all rely on group permissions with absolutely no individual permissions.

Ymmv

Cheers

Mike




-------- Original message --------
From: Charles Thayer <thayer@b2si.com>
Date: 29/3/20 10:08 (GMT+10:00)
To: Django users <django-users@googlegroups.com>
Subject: Question about Guest users and AnonymousUser best practices

I'm trying to convert an existing project to have a "guest user" experience that is very much like a logged in user with some minor differences. Does anyone have opinions, or a pointer to some guides about the best practices around this?

We already have foreign keys in a few places that point to settings.AUTH_USER_MODEL, and AnonymousUser doesn't work there.

TBH all my Django projects have required a login or a completely different experience for anonymous users, but it seems like there are lots of potential and subtle pitfalls.

Some ideas we're considering:

* class: make a new user class, GuestUser, based on AbstractBaseUser and some how have each session create a new one of these (then expire these aggressively)
* user: have a single global guestuser that's a real user. I imagine we need middleware to make anonymous users become this automatically and without a password.
* DB: update models to have a separate foreign key or is_guest_flag to indicate a guest user (or the global guest user) and code around this.
* groups: create a batch of users in a special group and "login" anonymous sessions to one of these automatically. Works with the usual permissions nicely. Has the benefit of letting us have a limit on these, but seems like class with a lot of extra work to manage and expire these.

Leading questions:

* How to keep it simple?
* Is there a pre-made solution?
* How do we promote guest users to real users?
* Which approach breaks the least 3rd party packages?

Our current favorite is the class approach. In djangoSHOP they set is_active=False and have clearly thought through this in the context of a shopping site with extremely important guest shopping-carts (link below).

Related links:

* https://django-shop.readthedocs.io/en/latest/reference/customer-model.html
* https://simpleisbetterthancomplex.com/tutorial/2016/07/22/how-to-extend-django-user-model.html
* https://simpleisbetterthancomplex.com/tutorial/2018/01/18/how-to-implement-multiple-user-types-with-django.html

Thanks,
/charles

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/bd3d9b4f-e963-49a5-9d03-59388658d295%40googlegroups.com.

No comments:

Post a Comment