Need help in Django User Model customization and authentication

[Ajat Prabha]

Hello everyone,
I'm creating a payment gateway to make transactions on my college campus go cashless. It can be used to pay library dues, stationary charges, etc. The user will add money to a central account and then he/she can use that money virtually. I chose Django because of its security. But as I need 3 groups of users viz. Faculty, Student and Staff, I'm having trouble to implement this in the best possible way. I fix one thing, the other gets disturbed. I'm new to Django, so I don't have much experience. I'm comfortable with views, basic models, etc. But this User customization, I can't get it right.

I'm attaching a representational User model (any suggestions are welcome), please have a look. All the 3 groups will have certain fields common and certain fields specific to that group only like roll_number/employee_code and permission_sets(in case the system is later used for access to labs, etc.). The fields at below of the image will be common to all groups.

I also tried this customization which worked but then I had issues in Django admin view where the password was stored in plain hashed value. I think it has something to do with reimplementing ReadOnlyPasswordHashWidget method declared in django.contrib.auth.forms but I'm not sure!

I chose Django in the first place for security reasons and I'm not able to get it right.
Can someone please help me out.

Thanks!

[Constantine Covtushenko]

Hi Ajat,

It was not clear to me why you do not use 'Extending the existing User model' approach, described here.

For me it works very well in almost all cases.

And if you go that way then authentication/authorization based questions should not bring any worries at all.

But may be I missed something.

If so, please provide us with more concrete questions.

Regards,

Constantine C.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/a98d6c25-68e0-49f6-acf1-1267e610281a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Sincerely yours,

Constantine C

[Scot Hacker]

This is a fairly common need in academia, where your users need a different set of profile fields depending on affiliation. And you always end up with edge cases where some people are simultaneously faculty and staff, or even student and faculty, etc. And those "special" people will need to have all of the right fields available to them.  You could take an approach something like this:

- Set up standard Groups for Students, Faculty, Staff (and maybe Alumni)

- Have a management command or import script that ensures everyone is in all the right groups

- Set up a shared UserProfile model that includes all shared fields

- For convenience, set up model methods on UserProfile that determine a person's status based on group membership, e.g. `is_faculty()`, `is_student()` etc. (taking care to not interfere with Django' built-in `is_staff` boolean!). This way you can do quick affiliation checks from anywhere (e.g. in templates)

- Set up additional FacultyProfile, StudentProfile, StaffProfile classes with the unique fields and with ForeignKeys to UserProfile

- Either in your import scripts or in save() method or elsewhere, instantiate the additional profile classes:

if user.is_faculty():

  fac_profile = FacultyProfile.objects.get_or_create(user=self)

That's very loose and there are many ways to go about it, but that's one possible approach.  Another would be to simply put *all* possible fields on UserProfile and just populate them based on affiliation. That's not very clean though, because if someone stops being faculty for instance, it would be tricky to ensure you remove all of the right field data (it's messy). So  season to taste.

./s

[Ajat Prabha]

Thanks for your reply, actually I need two passwords, one being normal alphanumeric and other being PIN-based with proper validation and features provided by Django auth core. Is it possible to do that with just extending User model?

On Saturday, 13 May 2017 23:59:14 UTC+5:30, Constantine Covtushenko wrote:

Hi Ajat,

It was not clear to me why you do not use 'Extending the existing User model' approach, described here.

For me it works very well in almost all cases.

And if you go that way then authentication/authorization based questions should not bring any worries at all.

But may be I missed something.

If so, please provide us with more concrete questions.

Regards,

Constantine C.

On Sat, May 13, 2017 at 4:23 PM, Ajat Prabha <ajat.pr...@gmail.com> wrote:

Hello everyone,
I'm creating a payment gateway to make transactions on my college campus go cashless. It can be used to pay library dues, stationary charges, etc. The user will add money to a central account and then he/she can use that money virtually. I chose Django because of its security. But as I need 3 groups of users viz. Faculty, Student and Staff, I'm having trouble to implement this in the best possible way. I fix one thing, the other gets disturbed. I'm new to Django, so I don't have much experience. I'm comfortable with views, basic models, etc. But this User customization, I can't get it right.

I'm attaching a representational User model (any suggestions are welcome), please have a look. All the 3 groups will have certain fields common and certain fields specific to that group only like roll_number/employee_code and permission_sets(in case the system is later used for access to labs, etc.). The fields at below of the image will be common to all groups.

I also tried this customization which worked but then I had issues in Django admin view where the password was stored in plain hashed value. I think it has something to do with reimplementing ReadOnlyPasswordHashWidget method declared in django.contrib.auth.forms but I'm not sure!

I chose Django in the first place for security reasons and I'm not able to get it right.
Can someone please help me out.

Thanks!

--
You received this message because you are subscribed to the Google Groups "Django users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.

To post to this group, send email to django...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/a98d6c25-68e0-49f6-acf1-1267e610281a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Ajat Prabha]

Thanks for the reply, Scot, I've some questions here:

1. Is setting up groups necessary if I'm creating shared UserProfile? If not, will groups be anyhow beneficial to this new setup?
2. Shall I create shared UserProfile from User? If yes, how can I handle the need for two passwords, one being normal alphanumeric for normal dashboard login and one being PIN-based for transactions with validation and security like Django's auth package?
3. Could you please elaborate/explain the need for this or maybe how is this useful:

1. 
   

   Either in your import scripts or in save() method or elsewhere, instantiate the additional profile classes:
   if user.is_faculty():
     fac_profile = FacultyProfile.objects.get_or_create(user=self)

    

Thanks!