限制仪表板用户 Django-Oscar (Sandbox Gateway App)
Restrict Dashboard Users Django-Oscar (Sandbox Gateway App)
如何限制仪表板用户?我已经安装了沙盒站点附带的网关应用程序,但据我所知,用户只是自动获得仪表板访问权限。显然这是一个安全问题。我已经阻止未经身份验证的用户查看网站的某些部分,但我需要能够 restrict/approve 访问仪表板。
在我看来,我必须编写一个自定义 view/form 才能从仪表板执行此操作,并将待处理的帐户注册提要提供给它。
任何指点将不胜感激。
相关代码:
import logging
from django.views import generic
from django.contrib.auth.models import User
from django.contrib import messages
from django.core.mail import send_mail
from django import http
from django.core.urlresolvers import reverse
from django.template.loader import get_template
from django.template import Context
from apps.gateway import forms
from oscar.apps.customer.forms import generate_username
logger = logging.getLogger('gateway')
class GatewayView(generic.FormView):
template_name = 'gateway/form.html'
form_class = forms.GatewayForm
def form_valid(self, form):
real_email = form.cleaned_data['email']
username = generate_username()
password = generate_username()
email = 'dashboard-user-%s@oscarcommerce.com' % username
user = self.create_dashboard_user(username, email, password)
self.send_confirmation_email(real_email, user, password)
logger.info("Created dashboard user #%d for %s",
user.id, real_email)
messages.success(
self.request,
"The credentials for a dashboard user have been sent to %s" % real_email)
return http.HttpResponseRedirect(reverse('gateway'))
def create_dashboard_user(self, username, email, password):
user = User.objects.create_user(username, email, password)
user.is_staff = True
user.save()
return user
def send_confirmation_email(self, real_email, user, password):
msg = get_template('gateway/email.txt').render(Context({
'email': user.email,
'password': password
}))
send_mail('Dashboard access to Oscar sandbox',
msg, 'blackhole@latest.oscarcommerce.com',
[real_email])
https://github.com/django-oscar/django-oscar/blob/master/sites/sandbox/apps/gateway/views.py
只要电子邮件有效,这就会自动创建一个 is_staff 用户。
所以我最终使用的解决方案是限制超级用户访问网关。由于该应用已经使用
django.contrib.auth.middleware.AuthenticationMiddleware
它可以访问用户模型。
我在网关电子邮件请求模板中放置了一个 if 块 form.html
:
{% if user.is_authenticated %}
{% if user.is_superuser %}
<email form>
{% else %}
<insufficient user privileges partial template>
{% endif %}
<not logged in partial template>
{% endif %}
同样对于零售访问,我使用了
{% if user.is_authenticated %}
{% if user.is_staff%}
<email form>
{% else %}
<insufficient user privileges partial template>
{% endif %}
<not logged in partial template>
{% endif %}
这样,只有超级用户才能创建员工,员工和超级用户都可以创建零售账户。
如何限制仪表板用户?我已经安装了沙盒站点附带的网关应用程序,但据我所知,用户只是自动获得仪表板访问权限。显然这是一个安全问题。我已经阻止未经身份验证的用户查看网站的某些部分,但我需要能够 restrict/approve 访问仪表板。
在我看来,我必须编写一个自定义 view/form 才能从仪表板执行此操作,并将待处理的帐户注册提要提供给它。
任何指点将不胜感激。
相关代码:
import logging
from django.views import generic
from django.contrib.auth.models import User
from django.contrib import messages
from django.core.mail import send_mail
from django import http
from django.core.urlresolvers import reverse
from django.template.loader import get_template
from django.template import Context
from apps.gateway import forms
from oscar.apps.customer.forms import generate_username
logger = logging.getLogger('gateway')
class GatewayView(generic.FormView):
template_name = 'gateway/form.html'
form_class = forms.GatewayForm
def form_valid(self, form):
real_email = form.cleaned_data['email']
username = generate_username()
password = generate_username()
email = 'dashboard-user-%s@oscarcommerce.com' % username
user = self.create_dashboard_user(username, email, password)
self.send_confirmation_email(real_email, user, password)
logger.info("Created dashboard user #%d for %s",
user.id, real_email)
messages.success(
self.request,
"The credentials for a dashboard user have been sent to %s" % real_email)
return http.HttpResponseRedirect(reverse('gateway'))
def create_dashboard_user(self, username, email, password):
user = User.objects.create_user(username, email, password)
user.is_staff = True
user.save()
return user
def send_confirmation_email(self, real_email, user, password):
msg = get_template('gateway/email.txt').render(Context({
'email': user.email,
'password': password
}))
send_mail('Dashboard access to Oscar sandbox',
msg, 'blackhole@latest.oscarcommerce.com',
[real_email])
https://github.com/django-oscar/django-oscar/blob/master/sites/sandbox/apps/gateway/views.py 只要电子邮件有效,这就会自动创建一个 is_staff 用户。
所以我最终使用的解决方案是限制超级用户访问网关。由于该应用已经使用
django.contrib.auth.middleware.AuthenticationMiddleware
它可以访问用户模型。
我在网关电子邮件请求模板中放置了一个 if 块 form.html
:
{% if user.is_authenticated %}
{% if user.is_superuser %}
<email form>
{% else %}
<insufficient user privileges partial template>
{% endif %}
<not logged in partial template>
{% endif %}
同样对于零售访问,我使用了
{% if user.is_authenticated %}
{% if user.is_staff%}
<email form>
{% else %}
<insufficient user privileges partial template>
{% endif %}
<not logged in partial template>
{% endif %}
这样,只有超级用户才能创建员工,员工和超级用户都可以创建零售账户。