All geek questions in one place

Restrict Django-Oscar Dashboard Users (Sandbox Gateway Application)

How can I restrict Dashboard users? I installed the gateway application that comes with the sandbox site, but as far as I can tell, users are simply automatically approved to access the dashboard. Obviously, this is a security issue. I have already blocked unauthenticated users from viewing parts of the site, but I need to restrict / approve access to the control panel.

The way I see this, I would need to write a custom view / form in order to be able to do this from the control panel, and have a registration registration feed for it.

Any pointers would be appreciated.

Relevant Code:

import logging

from django.views import generic
from django.contrib.auth.models import User
from django.contrib import messages
from django.core.mail import send_mail
from django import http
from django.core.urlresolvers import reverse
from django.template.loader import get_template
from django.template import Context

from apps.gateway import forms
from oscar.apps.customer.forms import generate_username

logger = logging.getLogger('gateway')


class GatewayView(generic.FormView):
    template_name = 'gateway/form.html'
    form_class = forms.GatewayForm

    def form_valid(self, form):
        real_email = form.cleaned_data['email']
        username = generate_username()
        password = generate_username()
        email = 'dashboard-user-%s@oscarcommerce.com' % username

        user = self.create_dashboard_user(username, email, password)
        self.send_confirmation_email(real_email, user, password)
        logger.info("Created dashboard user #%d for %s",
                    user.id, real_email)

        messages.success(
            self.request,
            "The credentials for a dashboard user have been sent to %s" % real_email)
        return http.HttpResponseRedirect(reverse('gateway'))

    def create_dashboard_user(self, username, email, password):
        user = User.objects.create_user(username, email, password)
        user.is_staff = True
        user.save()
        return user

    def send_confirmation_email(self, real_email, user, password):
        msg = get_template('gateway/email.txt').render(Context({
            'email': user.email,
            'password': password
        }))
        send_mail('Dashboard access to Oscar sandbox',
                  msg, 'blackhole@latest.oscarcommerce.com',
                  [real_email])

https://github.com/django-oscar/django-oscar/blob/master/sites/sandbox/apps/gateway/views.py is_staff, .

+4
1

, , , .

django.contrib.auth.middleware.AuthenticationMiddleware

. if form.html:

{% if user.is_authenticated %}
    {% if user.is_superuser %}
    <email form>
    {% else %}
    <insufficient user privileges partial template>
    {% endif %}
    <not logged in partial template> 
{% endif %}


{% if user.is_authenticated %}
    {% if user.is_staff%}
    <email form>
    {% else %}
    <insufficient user privileges partial template>
    {% endif %}
    <not logged in partial template> 
{% endif %}

, , , .

0

Source: https://habr.com/ru/post/1616636/

More articles:


All Articles