Overriding returned contents of user objects

0 views
Skip to first unread message

Tane Piper

unread,
Apr 13, 2008, 6:46:21 AM4/13/08
to Django Users Group
Hi there,

I'm currently building a Django app that uses JavaScript and Ajax.
One of the things I am doing is within each view, as well as
outputting a variable as standard, I also JSON encode any objects on
the page and return them as well, so when the page loads, they are in
the DOM as values I can use to manipulate the page.

One of the issues I am having is with the code below for example:

def get_project_list(request):
member = Member.members.get(user__exact = request.user)
projects = [project for project in Project.projects.all() if
project.get_permissions(request.user).view_project]

if request.is_ajax():
template = 'project/project_list_ajax.html'
else:
template = 'project/project_list.html'

return render_to_response(template,
{
'view_title': "All Projects",
'projects': projects,
'json_output': json_encode({'projects' : projects, 'user'
: member}),
}, context_instance=RequestContext(request)
)

i then output it like this

<script>
var hgfront = {{json_output}}
</script>

When I go into the DOM tab in Firebug, I can see the variables in the
dom. All are attached to a hgfront object, so for example, a page
might look like this in the dom

+ hgfront
+ options
+ projects
+0
+_project_manager_cache
name
id
.....

As you can see, each object is converted into JSON, but the problem
comes when I get a project, as you can see it passes along the
_project_manager_cache - which is the user object. Now the problem I
am having is the users password, although hashed, is showing like so:

_project_manager_cache
Object username=tanep first_name=Tane last_name=Piper
date_joined
"2008-04-10 18:40:55"
email
"digitals...@gmail.com"
first_name
"Tane"
id
2
is_active
true
is_staff
true
is_superuser
true
last_login
"2008-04-10 22:46:12"
last_name
"Piper"
password
"sha1$65c5c$ac5966b3082279392h737373144cf6db200c3"
username
"tanep"

The problem is that this isn't even being done with a select_related()
query, so the object is automatically being output. What I want to
know is there any way I could simplify the method and have it remove
the password field any time a user object is being selected as part of
a related query?? I'm sure there is a need for it when doing
authorisation, but once a session has been confirmed, is it needed
again?

--
Tane Piper
Blog - http://digitalspaghetti.me.uk
Skype: digitalspaghetti

This email is: [ ] blogable [ x ] ask first [ ] private

Malcolm Tredinnick

unread,
Apr 13, 2008, 6:59:46 AM4/13/08
to django...@googlegroups.com

On Sun, 2008-04-13 at 11:46 +0100, Tane Piper wrote:
[...]

> What I want to
> know is there any way I could simplify the method and have it remove
> the password field any time a user object is being selected as part of
> a related query??

Not really, unless you use values(). For any model, if the Python object
is being constructed, it pulls back all the values it needs to populate
the attributes. The password hash is an attribute of the User model.

> I'm sure there is a need for it when doing
> authorisation, but once a session has been confirmed, is it needed
> again?

Login isn't the only time when the password hash might be needed (for
example, it's displayed and editable in the admin screen) and it would
be quite hacky to introduce a special case for saying when that field
shouldn't be displayed. You're using the User object in public-readable
situations, which isn't really part of the design. So change your design
a bit so that you're not throwing around this information if you don't
want it displayed. Yes, anything can be serialised using json, but that
doesn't mean you should indiscriminately do so or that the framework
should accommodate that.

It might make sense in your situation to just pull back the values()
that you need for various objects and serialise that dictionary. Or you
could make another pass through the projects list and blank out the
attribute(s) you aren't interested in, such as _project_manager_cache.

Regards,
Malcolm

--
A clear conscience is usually the sign of a bad memory.
http://www.pointy-stick.com/blog/

Tane Piper

unread,
Apr 13, 2008, 7:56:15 AM4/13/08
to django...@googlegroups.com
Hi Malcolm,

values() seems to be the way to go for now. I've extracted some of
the code back to a context variable, and anything within a view I'll
just have to try and make it as efficient as possible, while still
removing the user object from the context.

--

Tane Piper

unread,
Apr 13, 2008, 8:34:51 AM4/13/08
to django...@googlegroups.com
Hi again,

I seem to have come a cropper with this. Although it returns the
fields I want on other models, on my Project model it seems to affect
it's functions and attribues For example, in this line:

projects = [project for project in Project.projects.all() if
project.get_permissions(request.user).view_project]

if I try do:

projects = [project for project in

Project.projects.all().values('project_id', 'project_name') if
project.get_permissions(request.user).view_project]

I get this error:

'dict' object has no attribute 'get_permissions'

I have tried passing it as a field but it comes back that it doesn't
exist. Any suggestions?

Reply all
Reply to author
Forward
0 new messages