2015-11-19 59 views
4

如何限制儀表板用戶?我已經安裝了沙箱網站附帶的網關應用程序,但據我所知,用戶只是自動批准儀表板訪問。顯然這是一個安全問題。我已經阻止未經過身份驗證的用戶查看網站的某些部分,但我需要能夠限制/批准訪問儀表板。限制儀表板用戶Django-Oscar(沙盒網關應用)

我看到它的方式,我將不得不寫一個自定義視圖/表單才能夠從儀表板執行此操作,並且有待處理的帳戶註冊提要。

任何指針,將不勝感激。

相關代碼:

import logging 

from django.views import generic 
from django.contrib.auth.models import User 
from django.contrib import messages 
from django.core.mail import send_mail 
from django import http 
from django.core.urlresolvers import reverse 
from django.template.loader import get_template 
from django.template import Context 

from apps.gateway import forms 
from oscar.apps.customer.forms import generate_username 

logger = logging.getLogger('gateway') 


class GatewayView(generic.FormView): 
    template_name = 'gateway/form.html' 
    form_class = forms.GatewayForm 

    def form_valid(self, form): 
     real_email = form.cleaned_data['email'] 
     username = generate_username() 
     password = generate_username() 
     email = 'dashboard-user-%[email protected]' % username 

     user = self.create_dashboard_user(username, email, password) 
     self.send_confirmation_email(real_email, user, password) 
     logger.info("Created dashboard user #%d for %s", 
        user.id, real_email) 

     messages.success(
      self.request, 
      "The credentials for a dashboard user have been sent to %s" % real_email) 
     return http.HttpResponseRedirect(reverse('gateway')) 

    def create_dashboard_user(self, username, email, password): 
     user = User.objects.create_user(username, email, password) 
     user.is_staff = True 
     user.save() 
     return user 

    def send_confirmation_email(self, real_email, user, password): 
     msg = get_template('gateway/email.txt').render(Context({ 
      'email': user.email, 
      'password': password 
     })) 
     send_mail('Dashboard access to Oscar sandbox', 
        msg, '[email protected]', 
        [real_email]) 

https://github.com/django-oscar/django-oscar/blob/master/sites/sandbox/apps/gateway/views.py 這只是自動創建一個is_staff用戶,只要電子郵件是有效的。

+0

我以爲有一個想法是將儀表板頁面限制爲已經過身份驗證的用戶,標記爲is_staff。看起來很笨拙 –

+0

你看過相關的[儀表板權限文檔](http://django-oscar.readthedocs.org/en/latest/ref/apps/dashboard.html?highlight=dashboard)嗎?捆綁的沙盒應用程序是[探索奧斯卡的示例站點](http://django-oscar.readthedocs.org/en/latest/internals/sandbox.html?highlight=sandbox),但並不適合所有情況。 – tutuDajuju

回答

0

所以我最終使用的解決方案是限制網關訪問超級用戶。由於該應用程序已經使用

django.contrib.auth.middleware.AuthenticationMiddleware 

它可以訪問用戶模型。 我把一個if塊在網關郵件請求模板form.html

{% if user.is_authenticated %} 
    {% if user.is_superuser %} 
    <email form> 
    {% else %} 
    <insufficient user privileges partial template> 
    {% endif %} 
    <not logged in partial template> 
{% endif %} 

同樣,對於零售業訪問,我用

{% if user.is_authenticated %} 
    {% if user.is_staff%} 
    <email form> 
    {% else %} 
    <insufficient user privileges partial template> 
    {% endif %} 
    <not logged in partial template> 
{% endif %} 

這樣一來,只有超級用戶可以創建的工作人員,和兩個工作人員超級用戶可以創建零售帳戶。