I am working on a Django somewhat e-commerce project, where, briefly, I have both a Customer and a Merchant model. The Merchant model is associated with a MerchantStore model which is somehow “complicated”, having a plethora of m2m and foreign key relationships to various models.
Following the solution in this post and having not enough “time” to make a custom implementation, I decided to let each Merchant be a “stuff member” and customize his store through the admin interface. Of cource I created a new group with the appropriate permissions.
However, some questions arise:
1) Is this considered harmful? Are there any security threats associated?
2) Isn’t this the best way to do it if you have not enough time anyway?
No, I would not consider this harmful.
The “Zen of Admin” as described in Apress’s djangobook seemed to imply an assumption of trust as part of the admin’s “philosophy”, and paired with the often-repeated “admin is not your app” advice, I too was scared at first and think the Django documentation could point out intended, viable use cases.
Please see my almost identical question Django AdminSite/ModelAdmin for end users?
From Jordan’s answer (who I gave the bounty):
Also note Django’s relatively recent security update http://www.djangoproject.com/weblog/2010/dec/22/security/
regarding querystring parameters in object lists.
Such an update (quote: “an attacker with access to the admin […]”) is a clear indication that the admin’s implementation of the permission system is being constantly scrutinized.