Category Archives: Application

Programmatically create Django security groups

Django authentication has security roles and CRUD permissions baked in from the get-go, but there’s a glaring omission: those roles, or Groups, are expected to be loaded by some competent administrator post-installation.  Groups are an excellent method of assigning access control to broad roles, but they don’t seem to be a first-class concept in Django.

It seems that you can kind-of save these values in by doing an export and creating a fixture, which will automatically re-load at install time, but that’s not terribly explicit – not compared to code. And I’m not even sure if it will work.  So here’s my solution to programmatically creating Django Groups.

management.py, which is created in the same directory as your models.py and is automatically run during python manage.py syncdb:

from django.db.models import signals
from django.contrib.auth.models import Group, Permission
import models 

myappname_group_permissions = {
  "Cinema Manager": [
    "add_session",
    "delete_session",
    "change_ticket",
    "delete_ticket",         # for sales reversals
    "add_creditcard_charge", # for sales reversals
    ],
  "Ticket Seller": [
    "add_ticket",
    "add_creditcard_charge",
    ],
  "Cleaner": [ # cleaners need to record their work
    "add_cleaning",
    "change_cleaning",
    "delete_cleaning",
    ],
}

def create_user_groups(app, created_models, verbosity, **kwargs):
  if verbosity>0:
    print "Initialising data post_syncdb"
  for group in volunteer_group_permissions:
    role, created = Group.objects.get_or_create(name=group)
    if verbosity>1 and created:
      print 'Creating group', group
    for perm in myappname_group_permissions[group]: 
      role.permissions.add(Permission.objects.get(codename=perm))
      if verbosity>1:
        print 'Permitting', group, 'to', perm
    role.save()

signals.post_syncdb.connect(
  create_user_groups, 
  sender=models, # only run once the models are created
  dispatch_uid='myappname.models.create_user_groups' # This only needs to universally unique; you could also mash the keyboard
  )

And that’s it. Naturally, if the appropriate action_model permissions don’t exist there’s going to be trouble.  The code says: After syncdb is run on the models, call create_user_groups.

How to buy a 65” Plasma for $.99

e-commerce sites utilizing hidden fields are susceptible to manipulation, such as selling a 65” Plasma for $.99. The way it works is the hidden field containing the price gets its value changed from many thousands of dollars to less than one, and the form is submitted to the server. The server blindly trusts the web client, and instead of actually using its own database-stored pricing (which is where the price no doubt came from originally) uses the price supplied by the client.

Hilarity ensues.

The author wants to call this process eShoplifting. I call it redistributing wealth (from the stupid to the clever).

Enormous house valuation leaves owner unimpressed

Even governments have to live within their means. But the nice thing about taxation, where you figure out how much tax (or rates) someone owes you, is that revenues are pretty predicatable. You say it, they owe it. Nice. I wish I had that kind of lock on my ‘customers’.

Unless you stuff up.

If you stuff up, suddenly the USD$8m you were counting on isn’t coming in, and you have to start sacking public servants. Read the link, that’s what this rant is about. I’m not going to recount it at length. Let’s just say there was a single character typo and leave it at that.

The nifty thing about this stuff up is that it was via a records enquiry system, by an external operator, who accidentally activated a retired program that shouldn’t have been able to affect property prices anyway (what with being retired and all). Valuation on the property went from USD$150K to… tray lots: USD$400m. Any reasonable system would have said “wow, that’s a fairly heafty increase in valuation, you’re going to have to enter several ‘no, seriously, I’m not kidding‘ codes before I actually believe you.”

Daniel, where’s our “risks” category?

I put it to you that few system developers would have considered this could ever happen, acidentally or otherwise, and that when offered the opportunity to spec a system like this it’d be rare that anyone would suggest a check like “if the rate of increase was more than twice that of any other property in the system, or the increase more than ten times the value of any other property in the system, get it checked by a human other than the one entering the data”. But there was no checking, and with today’s inconnected computer systems, the new valuation cascaded into other systems. Such as the county’s budgeting system, thus the surprise sackings to lower costs.

Please, someone tell me I’m wrong. Tell me that this failure has got to be a one-off, that I’m a cowboy, and the industry I work for is fine.

Slow SSL on Fedora

So, I’ve been using Fedora Core 3 (I really must upgrade to 4) and I’ve noticed that SSL – ie HTTPS – is really slow. Logging into eBay took something like a half hour. I consulted someone who uses FC3 as their primary operating system and his suggestion was to disable the firewall. “but…” I protested. The response was simple: “Stop being such a pussy. You’ve got a firewall in your modem.” And I do.

So I did – Applications | System Settings | Security Level got me to firewall configuration, one option of which was “forgetaboudit”. A reboot of the iptables (iptables is the linux firewall: very sophisticated, very powerful, very fragile, requires a detailed understanding of IP protocols to use correctly) later – either by a command line entry (simple – just enter service iptables restart) or a system reboot (easy to remember, but takes a fair old time – FC boot time is longer than XP’s) and the firewall’s behaviour was changed. Then secure logins went just as fast as straight HTTP, and it was clear that the Red Hat Firewall was the culprit.

Hours of searching the web revealed a suggestion for a change to the configuration file, which I went to implement in a restarted firewall – and it was already there. So, to make Firefox – or any other web browser – do fast SSL when it was going slow – you need to disable, then re-enable the firewall. You can do that by picking Applications | System Settings | Security Level from the menu, disabling the firewall, opening a terminal window and entering service iptables restart, and repeating the process but enabling the firewall this time (ensure you have web turned on).

In FC3 the default firewall install doesn’t like HTTPS. And I thought Windows was freaky. I understand the FC4 doesn’t do this crazy shit.

Windows permissions

In an effort to secure my home computers, I have been setting up accounts for my kids on both of them. Very easy. They get to play around with their favourite screensavers and wallpaper settings and so on. And I’m making them regular “users”, not “power users”, so they can’t “accidentally” install anything they find on the Web into the Windows directory or Program Files. (The school computers are riddled with stuff found from some super-dooper smilies and “mini games” web sites).

It’s times like these that you begin to understand why it’s so handy to have the Documents And Settings directories and the Registry, which have areas writable by all users. And you also begin to wonder why some software writers (including Microsoft) ignore them.

Example 1: Midtown Madness 2 (which my son Jeremy loves) needs write access to its own directory, for storing player data and some other guff. Easily fixed, but WHY?

Example 2: the DVD player software that came with one of the computers obviously wants to do something in one of the verboten directories and gracefully crashes and burns when it’s not run as Administrator. Haven’t had time to sort out why, exactly, yet. Must upgrade to PowerDVD — I wonder if it does that.

This is pretty basic stuff. Software authors really should know better.

Do you really really want to open the file?

I know the spread of macro viruses via consumer products is a dangerous thing, and obviously Microsoft in particular have had to take action to help slow them down. But I’m not convinced the plethora of dialog boxes that now adorns every application is really the way to go.

For instance, if you open an MDB in Access 2003 that was created in Access 2000, you are likely to get no less than three separate security dialogs asking if you’re sure, if you’re really sure you want to open the file.

I’ve been using Access for some years, but I don’t know what an “unsafe expression” is. I created the MDB I’m opening, and it’s just got tables in it. No macros, no VBA modules, not even a report or query. There’s nothing unsafe in it. So I said No, don’t block the unsafe stuff you imagine is in this file. Give it all to me.

Having said no, I don’t want them blocked, it then complains that it can’t block them. Obviously it doesn’t trust me to answer sensibly, it really wants to block those imaginery unsafe items. But it can’t without sending me off to Windows Update to install Jet 4 SP 8 or later.

I had to really concentrate to work out what the Yes/No options at the bottom of the dialog are for. They’re nothing to do with blocking the alleged unsafe expressions, or installing the service pack. Nope. What it’s asking is if I still want to open the file.

Having ascertained that I don’t care about the unsafe expressions that don’t exist, and I still want to open the file… it asks me just one more time, by suggesting the bleeding obvious: “This file may not be safe if it contains code that was intended to harm your computer.” Well duh, no kidding.

The cunningly placed Cancel button on the left could easily lead one to click that by default. But finding and clicking the Open button finally really opens the file.

Now, why did I want to look at this file again?