Home > OS >  Django-single user with multiple employee account for each organization flow
Django-single user with multiple employee account for each organization flow

Time:07-23

Im creating an application where user is having multiple employee account with each organization. When i login with user credential it has redirect to choose organization page which has multiple organisations where i hold employee accounts and after choosing any one organization it has to redirect to dashboard page where all details related to the selected organization should be displayed. My doubt is when im doing multiple api calls in dashboard page whether i need to pass selected organization id in all requests? ex: organization/orgid/team/teamid/members/team-member-id if this goes like this means url will grow long.Please help on this. Thanks in Advance.

CodePudding user response:

No, you probably don't need long urls. In many cases you will just refer to the object(s) which a view should display or manipulate. Before allowing the user to do this, you check that the user has permission to access them. There are various ways to do this, but if the user profile has an organisation and the view object also has an organisation, you might define get_object for class-based views something like this:

def get_object( self, queryset=None):
    obj = super().get_object( self, queryset)

    if request.user.profile.organisation_id != obj.organisation_id:
        raise PermissionDenied('...') # or Http404 "not found"
    return obj

You need to do this anyway because a user can feed anything he wants to in though his browser's URL bar, for example to attempt to spy on some other organisation that he knows is sharing the system.

Some might also want to use UUIDs as primary keys for sensitive entities, rather than sequentially increasing integers. (Doing so also makes URLs much longer!). The reason is that successive integers are fairly guessable/ hackable, whereas UUIDs are not.

  • Related