I’m building a Django-based review website where public users create all of the content on the site. Users create reviews for given items and they also create the items themselves that will be reviewed (providing a description and brief summary of the item, along with a few tags).
My question is this: Should I be using Django’s admin features for this website (as in, exposing admin controls to the public users)? Or should I just stick with normal forms? I’m not too familiar with the admin-aspect of Django, and so far I’ve just been using forms for the website, but I’ve seen a lot of people talking about Django’s admin features, and I’m starting to wonder if I should be using them.
Thanks for any feedback!
Maybe. If the admin functionality covers most of what you want to offer, there’s no reason why you shouldn’t use it as a starting point.
django.contrib.admin is an application like any other, and provides basically a CRUD interface to your models. Access can be controlled via groups/permissions, just like you would for an application you write yourself. You can give full access to a model with a one-liner, but obviously will have to configure properly when opening up to others.
See also my question
Django AdminSite/ModelAdmin for end users?
and similar questions Exposing django admin to users. Harmful? and How to make Django admin site accessed by non-staff user?
Regarding arguments about the “intended use” of the admin, please note Django’s security update at the end of last year: http://www.djangoproject.com/weblog/2010/dec/22/security/ regarding querystring parameters in object lists. Such an update (quote: “an attacker with access to the admin […]”) is a clear indication that the admin’s implementation of the permission system is being constantly scrutinized.