How can I restrict Dashboard users? I have installed the gateway app that ships with the sandbox site, but as far as I can tell, users are just approved automatically for dashboard access. Obviously this is a security concern. I have already blocked non-authenticated users from viewing portions of the site, but I need to be able to restrict/approve access to the dashboard.
The way I see it, I would have to write a custom view/form to be able to do it from the dashboard, and have the pending account registration feed to that.
Any pointers would be appreciated.
Relevant code:
import logging
from django.views import generic
from django.contrib.auth.models import User
from django.contrib import messages
from django.core.mail import send_mail
from django import http
from django.core.urlresolvers import reverse
from django.template.loader import get_template
from django.template import Context
from apps.gateway import forms
from oscar.apps.customer.forms import generate_username
logger = logging.getLogger('gateway')
class GatewayView(generic.FormView):
template_name = 'gateway/form.html'
form_class = forms.GatewayForm
def form_valid(self, form):
real_email = form.cleaned_data['email']
username = generate_username()
password = generate_username()
email = 'dashboard-user-%[email protected]' % username
user = self.create_dashboard_user(username, email, password)
self.send_confirmation_email(real_email, user, password)
logger.info("Created dashboard user #%d for %s",
user.id, real_email)
messages.success(
self.request,
"The credentials for a dashboard user have been sent to %s" % real_email)
return http.HttpResponseRedirect(reverse('gateway'))
def create_dashboard_user(self, username, email, password):
user = User.objects.create_user(username, email, password)
user.is_staff = True
user.save()
return user
def send_confirmation_email(self, real_email, user, password):
msg = get_template('gateway/email.txt').render(Context({
'email': user.email,
'password': password
}))
send_mail('Dashboard access to Oscar sandbox',
msg, '[email protected]',
[real_email])
https://github.com/django-oscar/django-oscar/blob/master/sites/sandbox/apps/gateway/views.py This just automatically creates an is_staff user, as long as the email is valid.
So the solution I eventually used was to restrict gateway access to superusers. As the app already uses the
django.contrib.auth.middleware.AuthenticationMiddleware
It has access to the user model.
I placed an if block in the gateway email request template form.html
:
{% if user.is_authenticated %}
{% if user.is_superuser %}
<email form>
{% else %}
<insufficient user privileges partial template>
{% endif %}
<not logged in partial template>
{% endif %}
Similarly for the retail access, I used
{% if user.is_authenticated %}
{% if user.is_staff%}
<email form>
{% else %}
<insufficient user privileges partial template>
{% endif %}
<not logged in partial template>
{% endif %}
This way, only superusers can create staff members, and both staff members and superusers can create retail accounts.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With