本文介绍了将django管理员暴露给用户。有害?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在一个Django上进行一些电子商务项目,简而言之,我拥有一个客户和一个商业模式。商家模型与MerchantStore模型相关联,该模型以某种方式复杂,具有多个m2m和各种模型的外键关系。



a href =http://www.b-list.org/weblog/2008/dec/24/admin/ =noreferrer> post ,并没有足够的时间来进行自定义实现我决定让每个商家成为东西的成员,并通过管理界面定制他的商店。资源我创建了一个具有相应权限的新组。



然而,出现了一些问题:



1)这被认为是有害的吗?有没有任何安全威胁相关联?



2)如果还没有足够的时间,这不是最好的方法吗?

解决方案

不,我不会认为这是有害的。



管理员的禅 Apress的djangobook似乎暗示了作为管理员哲学的一部分的信任假设,并与经常重复的管理员不是您的应用程序建议配对,我也是首先害怕,并认为Django文档可以指出目标,可用的用例。



请看我几乎相同的问题



从约旦的答案(我给了赏金):

还要注意Django的相对最近的安全更新
关于对象列表中的querystring参数。



这样的更新(引用:访问管理员的攻击者[...])清楚地表明管理员执行许可制度正在不断审查。


I am working on a Django somewhat e-commerce project, where, briefly, I have both a Customer and a Merchant model. The Merchant model is associated with a MerchantStore model which is somehow "complicated", having a plethora of m2m and foreign key relationships to various models.

Following the solution in this post and having not enough "time" to make a custom implementation, I decided to let each Merchant be a "stuff member" and customize his store through the admin interface. Of cource I created a new group with the appropriate permissions.

However, some questions arise:

1) Is this considered harmful? Are there any security threats associated?

2) Isn't this the best way to do it if you have not enough time anyway?

解决方案

No, I would not consider this harmful.

The "Zen of Admin" as described in Apress's djangobook seemed to imply an assumption of trust as part of the admin's "philosophy", and paired with the often-repeated "admin is not your app" advice, I too was scared at first and think the Django documentation could point out intended, viable use cases.

Please see my almost identical question Django AdminSite/ModelAdmin for end users?

From Jordan's answer (who I gave the bounty):

Also note Django's relatively recent security update http://www.djangoproject.com/weblog/2010/dec/22/security/regarding querystring parameters in object lists.

Such an update (quote: "an attacker with access to the admin [...]") is a clear indication that the admin's implementation of the permission system is being constantly scrutinized.

这篇关于将django管理员暴露给用户。有害?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-05 17:57