Tag: permission

  • Django Model-Owner

    The option to make a model owned by a user is actually documented for the Django Admin app. However, for reference, here are the steps:

    First, the model you want to have an owner needs to reference “User” as a foreign key: (in models.py)

    class Website(models.Model):
        submitted_by = models.ForeignKey(User, on_delete=models.CASCADE)
        url = models.URLField()

    Provided you want to use this model in Django-Admin, there is an explicit method the app provides when defining admin models: (in admin.py)

    @admin.register(Website)
    class WebsiteAdmin(ModelAdmin):
        model = Website
        list_display = ('url', )
        exclude = ('submitted_by', )
    
        def save_model(self, request, obj, form, change):
          if not change:
            # only add owner if not changed object
            obj.owner = request.user
          super().save_model(request, obj, form, change)

    A heads-up: Django documentation is explicit that both save_model and delete_model have to call the corresponding super()-method in order to actually save the modified model. Reasoning here is these methods are meant to interact with the process and add extra steps, they are not meant to veto.

    Additional thoughts: For a model having an owner is really convenient in plenty of situations, in particular when managing permission. The field can e.g. be matched when viewing details of an object.

    There are other, potentially more flexible approaches to the problem. In particular when solving in custom views, the field has to be set manually. The same is true when using more complete solutions like “django-guardian”.

  • MongoDB with no protection

    Students at the “Universität des Saarlandes” found almost 40k MongoDB instances, apparently with no security at all. Access to these databases includes write credentials.

    Universität des Saarlandes:  Aktuelles aus Studium und Forschung.