CODEWITHSUNDEEP
pythondjango
Cyzanfar
Cyzanfar

Reputation: 7136

User defined template Django

Is there a way to enable application users to create their own template within the django app? One example would be how MailChimp enables users to create their own custom email template.

Currently i'm thinking of creating a model that captures information the user wants to display. that model can point to a template and populate it with the information the user wants to display. But is there a better way?

Upvotes: 1

Views: 251

Answers (2)

manassehkatz-Moving 2 Codidact
manassehkatz-Moving 2 Codidact

Reputation: 3034

Another answered noted a warning from the docs that included:

access properties of template variables that may contain sensitive information

This is a big concern. All Django tables are linked together, often in "magical" ways. The template system does not concern itself with permissions granted to authenticated users. If a template can be processed then it will process anything & everything that it can - i.e., if a link between tables exists, it will follow it. This means that something like a Customer record that is linked to a User record that is linked to Vendor records to Item records, etc. could allow any user (or at least, any user with permission to create a template) to view almost any data in the system. They would not, at least with the standard User package, be able to see User passwords. But they could get to almost anything else. For example, they might be able to figure out who else is using the system, how much people are paying, names of administrators (very useful for phishing!), etc.

So while it would be relatively easy to create a user-defined Django template system, it is not a good idea, at least not on any publicly accessible system.

Upvotes: 1

Lord Elrond
Lord Elrond

Reputation: 16032

As stated in the docs:

Warning

The template system isn’t safe against untrusted template authors. For example, a site shouldn’t allow its users to provide their own templates, since template authors can do things like perform XSS attacks and access properties of template variables that may contain sensitive information.

Having a user define templates, even if the templates are stored in a model, can lead to xss vulnerabilities, and will be extremely difficult to implement safely.

Upvotes: 2

Related Questions