2

I am a self-learning programmer (with a fair share of python knowledge), and currently a company asked to develop a simple application so that they can track employee expenses (and I thought of using Django)

However, they require the app database remains installed in one of theirs internal server structure.

Question: How/Is it possible to validate which users can/have access to that application, via another django app running on my own server?

Do I need to write a custom authentication method in Django, that makes an API call to my server and checks whether that user has permissions to use the app?

If they have web developers themselves, they can override these same methods that I added.

I just don't know how to separate database, and application logic, so that I can control user access when an web application runs on a company's private server (or maybe I can't accomplish this using a web application...)

Any architecture insights would be helpful.

Thank you.

drec4s
  • 121
  • 2

1 Answers1

0

As an abstract exercise, this is no different than controlling access on the public internet. Your application will need to do some form of authentication and authorization for parts of it that require limited access.

It sounds like you are concerned about employees in the company having access to the server itself the application is on to change things. That is typically not your concern as the application developer. Usually, companies have IT staff who limit access to various computers to only the employees that need to access them.

Your responsibility as the application developer is to explain that security for those parts of the system is the IT staff’s responsibility. Their IT staff probably already does this for other applications on the company’s network (e.g. accounting and whatnot), and will probably already expect that they will have work to do in this area. You just need to let them know what they need to block access to and they’ll probably handle that without you having to think about it or know the details.

Joe
  • 414
  • 2
  • 6
  • And, your Security/Infrastructure/Operations staff likely already has a strategy for User Access Control to other corporate assets. If possible, leveraging their existing strategy and using the appropriate software library (Active Directory/NTLM, OAuth2, SQL, etc.) to handle the authentication/authorization implementation in your application could make this much easier than a purely custom implementation. By adhering to the company's current authentication/authorization paradigm, it could also make it easier for other IT teams to understand the flow and for security/operations to manage access – Rohn Adams Dec 31 '20 at 21:03
  • Your wording reeks of some deeper problem: You speak of an app on *their* server, while you want to do user authorization checks on *your* server. Are you sure that this is what the client requires? That would constitute not just "writing an app" for them, but providing a service that normally should be fully within the client's responsibility. – Hans-Martin Mosner Dec 22 '22 at 07:33