How to ensure account-based separation in Django

Question

How to ensure account-based separation in Django

I have a Django application that has a single account model. We convert this to a multi-account, so almost every model will have it ForeignKey(Account).

What is the easiest way to make sure that everyone Account(each account is in its own subdomain) can only access its own data? We have middleware that populates the subdomain and current account for each request.

We can do this the hard way by adding filter(...., account = request.account)to all our ideas. This is undesirable since

filter(...., account = request.account)will be added to all requests, which will make this dry, repetitive and error prone.
The greater risk is the lack of a missing filter, in any case it is a security risk.

+1

django django-queryset django-authentication

agiliq Dec 03 '09 at 12:44

source share

5 answers

, . , :

Django: //?

+1

orokusaki 25 . '10 22:12

. , todo 1.2, 100% .

0

rinti 03 . '09 13:52

- , , ?

0

M. Ryan 03 . '09 13:57

django.contrib.auth?

, a ForeignKey(User, unique=true) User

. ForeignKey(User)

, django Auth Docs

edit: , ...

,

my_model.objects.filter(user=request.user)

:

request.user.my_model_set.all()

0

Jiaaro 03 . '09 16:12

Van Gale · Accepted Answer · 2009-12-03T16:34:02+0000

I don’t think there is any clear winner, especially if you think that not all requests should be filtered by account. Also consider the old trick threadlocalsconsidered unreliable, which means that the only way to automatically insert filter parameters would be with middleware, I think ... but it also seems unreliable and complicated for me.

I also did not have a good way to make a query manager that can help here, but it is possible.

, , "multi-tenant" , . :

, Middleware:
sql, , , . " " , , , .

, , , .

How to ensure account-based separation in Django

More articles: