Django: Using django.contrib.auth for SAAS ( Users, permissions, etc. )

I'm making a SAAS and I've been asking a slew of questions on here related to the Auth system built in. I'm having trouble understanding the "why" and "how". Primarily I don't understand how it fits in with my SAAS.

I (do) know the following:

1. You can do this: http://docs.djangoproject.com/en/dev/topics/auth/#storing-additional-information-about-users
2. There are many reasons to use the built in auth system (like security) instead of rolling your own

I (don't) know the following:

class MyUserProfile(models.Model):
    """
    Administrator for an Account. Can edit tickets and other stuff.
    """
    user = AutoOneToOneField(User, primary_key=True)
    account = models.ForeignKey(Account)
    dogs_name = models.CharField(max_length=255)

I开发者_开发百科n the previous example, account is just what you'd expect; an entity that's paying to use my software. user is my main concern. Somebody goes to a page and creates a UserProfile with a username and password, etc. When they do this, where does the related User get created? Do I need to create it in my view manually based on the request.POST['username'], etc, and then do

myuserprof = MyUserProfile.create(user=foo_user_just_created, account=foo_account, dogs_name='Spot')

I don't know why but for some reason I feel like I'm missing something. This idea of asking somebody to sign up for an account, and then create a MyUserProfile with a form that asks for the password, username, email, et al, and then in my view creating 2 different objects (MyUserProfile and User) with different parts of the form data. I mean I shouldn't have a User form right? Like I said, I feel like I'm either skipping a step or I'm in the wrong paradigm. I'm not new to Django, but for some reason I have trouble with things that I didn't build (I think it might be a mental problem for real at this point).

Maybe there is a good example of this sort of thing being done on some open source project.

Update: Oops, forgot to mention that in the code above I tried to use AutoOneToOneField from django-annoying, but I have no idea where all the User's attributes get set or how to decide which User object to attach to it. This stuff is driving me crazy.

Also, do I need to use the sites app to do this stuff, and finally does a "super user" have all permissions to everything (I don't want people from Account "Acme" to access account "Microshaft" objects)? Or do they just have all permissions to all views?

Somebody goes to a page and creates a UserProfile with a username and password, etc.

UserProfile doesn't have an username or password field. So it should be somebody goes to a page and create an User. Then, it creates an UserProfile associated to that newly created User.

The question is, how and when do you want this UserProfile instance to be created?

1. Automatically, whenever a new User is created : use signals, as described in the docs
2. Automatically, whenever the profile is accessed from an user instance : use AutoOneToOneField, and access the profile using user.userprofile instead of user.get_profile()
3. Manually. But don't forget an user might have no UserProfile associated yet, so user.get_profile() might raise a DoesNotExist exception.

When they do this, where does the related User get created?

It doesn't. You have to create it explicitely.

This idea of asking somebody to sign up for an account, and then create a MyUserProfile with a form that asks for the password, username, email, et al, and then in my view creating 2 different objects (MyUserProfile and User) with different parts of the form data. I mean I shouldn't have a User form right?

Why not? You want here to create an User and his associated profile in one go, right? You could eventually use directly the POST data, or use a Form to access to the fields, or even better, use 2 ModelForm (one for User, one for UserProfile) that you will process in the same view (maybe this question can help?)

Maybe there is a good example of this sort of thing being done on some open source project.

I suggest you check out django-registration and django-profiles.

Note

You have another way of adding information to an User object, by extending the model itsel. It will allow you to put your extra fields directly in the user model and might be easier for you to understand and use.

I won't dive into details here, have a look at that tutorial for more informations.

Other questions

I tried to use AutoOneToOneField from django-annoying, but I have no idea where all the User's attributes get set or how to decide which User object to attach to it. This stuff is driving me crazy

See above on how to use it. If you feel uncomfortable with it, the best is to follow the documentation, which recommend using a ForeignKey with unique=True in user profiles.

Also, do I need to use the sites app to do this stuff

From the site framework docs : Use it if your single Django installation powers more than one site and you need to differentiate between those sites in some way.

and finally does a "super user" have all permissions to everything (I don't want people from Account "Acme" to access account "Microshaft" objects)?

Again, from the docs, Designates that this user has all permissions without explicitly assigning them. That means that everywhere Django is using the built-in permission system (e.g. default administration pages), a super-user will be authorized.

In views you're writing yourself, or if you tweak some ModelAdmin, it's up to you to decide how you are going to check permissions.