I explored different ways in which PCA can be tested. More specifically, I tried to find some testing schemes under which the PCA I developed fails while the standard PCA method works. This practice is to help me understand the potential limitations of the PCA method. Unfortunately, I have yet to find a case where the PCA method fails. So far, it appears that the standard PCA and the implemented PCA performs more or less on the same level. Currently, I'm trying to exploit the fact that "hyperbox" method was used by drawing the loading matrix from different heavy tail distributions.

What did I do this week?

Design test cases for PCA

What will I work on next week?

Devising test cases for PCA. Implement NNMF

I continued working on developing test cases. I tried to write up an overview for testing frameworks since such a framework could potentially be useful for other methods beyond PCA. I still haven't found a test where the implemented PCA falls short of the standard PCA, which is good in the sense that the performance is on par with the standard PCA but potentially harmful since we don't know its vulnerabilities. Meanwhile, I'm in the process of implementing NMF. I'm currently am trying to use the hyperbox method that I used in PCA. Unlike PCA, however, it is generally not possible to apply NMF in an incremental manner as we did in PCA so I'm reading up papers to resolve this issue.

What did I do this week?

Design test cases for PCA. Partially implemented code for NNMF. 

What will I work on next week?

Testing framework for PCA and other methods. Continue implementing NNMF

The post PyDev of the Week: Eric Matthes appeared first on The Mouse Vs. The Python.

PyCon Australia 2019 was, surprisingly, my first Australian Python Convention. It was also the first Python Convention I've attended purely as a spectator. I didn't contribute officially and was just there to learn and meet people.

What an experience!

The Talks

Let's get to the meat of it. I was impressed by the quality, topic range and professionalism of the talks. Almost all talks I attended, delivered a solid experience. There were very few I got bored in or was underwhelmed with.

Here are my top picks:

The unspeakable horror of discovering you didn't write tests - Melanie Crutchfield

Tests are tough. They're even tougher to get into. Melanie delivered a quality, educational and entertaining talk on why it's important to use them. Her story on how she came to use and appreciate tests made the talk relatable which kept me hooked. As a result, I'm actually super excited to get cracking with pytest, selenium and pytest-cov!

Takeaway:pytest-cov is an awesome tool to check what test coverage your code has. Very cool! Also, Melanie is pretty damn awesome and an incredibly entertaining presenter!

YouTube:https://www.youtube.com/watch?v=QD9YlNoTm2c

Slides/Notes: TBD

It's dark and my lights aren't working (an asyncio success story) - Jim Mussared

While the talk didn't end up diving too much into asyncio it more than made up for it by being damn interesting. Jim tells the story of his experience trying to automate the lights in his home. It's a story of hardship, dedication to the cause and is down right inspiring. Seriously, watch this one and see just how technical he gets with the technology he's playing with. I'll also add that he had us laughing for the majority of the talk!

Takeaway: Sometimes tech just doesn't work. The stubbornness to never give up is what makes us techies and programmers such an amazing group. Even when the odds are against you, keep searching, keep digging and you'll find a way.

YouTube:https://www.youtube.com/watch?v=grouP9QfdyA

Slides/Notes: Slides. Transcript is in the speaker notes of the first slide.

Shipping your first Python package and automating future publishing - Chris Wilcox

I really enjoyed this one as I've never had to package anything up to publish on PyPI before. I'm even still a little green when it comes to packaging in general so having Chris go through the whole setup.py and setup.cfg thing was great. He covers best practices, Tox and Nox as well.

Takeaway: While setup.py is still a thing, setup.cfg is much more flexible to use. I'll be seeing how I can utilise setup.cfg from now on. I also need to start diving into Tox (and Nox) to see what all the hubbub is about.

YouTube:https://www.youtube.com/watch?v=nietrteetKQ

Slides/Notes:Slides

Python Oddities Explained - Trey Hunner

This was easily one of my favourite talks. Trey has such a deep understanding of how Python works and has a wonderfully engaging presentation style. He covers a bunch of weird behaviours in Python that he's encountered over the years. It's a highly informative talk and I loved it.

Takeaway: There is a lot that can catch you out in Python. If you have any weird behaviour, have a good look through your code and make sure you have your scope referenced correctly. The += operator can be insanely useful and painful!

YouTube:https://www.youtube.com/watch?v=4MCT4WLf7Ac

Slides/Notes:Slides

Goodbye print statements, hello debugger! - Nina Zakharenko

Debugging my code has long been a fear of mine. At most, I use print() statements to help me see what's going on where and what object is being assigned what value. It's a pain, but it's comfortable and it works. Nina shattered the barrier into debugging for me. Using pdb and ipdb she demonstrated how to use the tool to debug code and managed to do so in a way that didn't make the complete noob (me) feel like an idiot. I've never been so excited for my code to break!

Takeaway:ipdb is going to be the debugger I jump into. I should also stop being so afraid to dive into a new topic when it comes to coding. Also, Microsoft Clippy still lives! (In sticker form).

YouTube:https://www.youtube.com/watch?v=HHrVBKZLolg

Slides/Notes:Slides and Blog

The People

I've said before that it's the people that make the conference special. PyCon AU was no different. I met so many incredible people over the 3 days. Some were even drawn to the @PythonicStaff I was carrying around in Anthony Shaw's absence.

Of special note, I have to mention two fantastic members of our PyBites Community - Anthony and Marc. Both of these chaps came out and allowed me to spend time with them throughout the conference.

Attending talks is always fun but doing it with friends (I'm assuming we're now friends) makes it a little more special. We learned a lot together and the guys were so inspired they even ran off to buy some MicroBit devices so they could play around with MicroPython.

Of course, PyBites Community aside, there were all sorts of cluey people around. Within 10 minutes of being at the conference I met a guy named Gavin who was doing audio analysis with an Adafruit device mounted to a home-made wooden box. (This is totally an understatement, what he was doing was way over my head!).

I was able to forge new relationships with Pythonistas from around Australia (including one who was taking the #100DaysofCode in Python course !) and I got to spend much needed time with friends I'd made at PyCon US. Trey and Melanie, you guys rock!

The Code

Some of the coding concepts, ideas and thoughts I've taken away from the conference:

• I need to push having tests on all of my code. I'll be using pytest and pytest-cov for most code but will dive into Selenium where required. It's time to stop being intimidated and just start doing it.

• On that same note, pdb or ipdb is going to start making an appearance. I want to debug properly.

• Never leave pdbbreakpoint()s in Production Code! (Python 3.7)

• As I've wanted to get into drones, I should take a look at pyparrot to add some Python goodness to the experience.

• Give doctest a go as a testing framework. Could be useful in smaller situations where I don't want my code to be able to run unless it passes all tests.

• It's way out of my area of expertise right now but WASM looks like it could be fun to dive into.

• If I want to have a play with 3D Rendering in Python, I should take a look at vpython and glowscript.org.

• Have a stab at using cookiecutter.

• I really need to make a concerted effort to understand the "behind the scenes" of Python. Which functions call which dunder methods and how they work.

• MicroPython is awesome.

• Consider the impact to my users when I roll out updates. Something I already do but just a timely reminder from the "What PHP Learned from Python" talk.

The Missed Talks

There were quite a few talks I missed due to conflicts in the schedule, my ability to get to them or just plain being knackered:

• "Git hook[ed]" on images & up your documentation game - Veronica Hanus

• Creating Lasting Change - Aurynn Shaw

• Tracing, Profiling & Debugging in Production (eBPF) - Trent Lloyd

• What makes Micro:bits different? - Jack Reichelt

• Threat Modeling the Death Star - Mario Areias

• Building a Sustainable Python Package Index - Dustin Ingram

All PyCon AU 2019 talks can be seen on YouTube here.

Inclusivity

It'd be remiss of me not to mention just how inclusive PyCon AU is. It doesn't matter what race, gender or however you identify, you'll have a home there.

Everyone was comfortable in their own skin. Everyone was respectful of opinions and appearance. Heck, the bathrooms even had powerful signage to ensure people were empowered to use whichever bathroom they felt comfortable using.

Seeing people of all shapes, sizes, colours, *, all learning harmoniously without any prejudice was truly a highlight for me. I couldn't be more proud to be part of this community.

Conclusion

As you can see, I missed quite a few quality talks but that's how it goes at PyCon. The chance to spend time with friends and to learn is one you should never pass up. There's so much to be gained from the PyCon conferences thanks largely to the amazing Python Community.

It's been 3 brilliant, insightful and inspirational days and I'm grateful for the time I was allowed there. I was even able to, finally, introduce one of my favourite colleagues to the community!

If you haven't been to a PyCon yet, make it happen. If you can get to one in Australia, even better. Just make sure you stop by and say G'day!

Keep Calm and Code in Python!

-- Julian

What did I do this week?

As discussed in the earlier blog, I worked on tests for GUI to 'checkout' to a previous version of flightpath. After creating a pull request, I parallelly started working on GUI to add users and projects. I also got the pull request reviewed by my mentor.

What's coming up next?

This week, I have to finish up on modifications suggested by my mentor. After first request gets merged, I have to work on displaying user's, project's details in chat window, and active view windows. After that, I'd have to fix an issue due to which table view can't be created more than once for mscolab. Before making the second pull request, I also have to write tests for GUI part related to creation of users and projects.

Did I get stuck anywhere?

I was stuck for a very short while trying to decide if QInputDialog works with multiple inputs, then I designed my own QLabel for my usage.

What did you do this week?

Documentation writing. The chapter for Crystallinity map calculation is written.

What is coming up next?

Chapter for Region clustering, Jupiter notebook for feature vector generation, non-zero order peaks detection and region clustering.

Did you get stuck anywhere?

Not yet.

While I was trying to install rust on a FreeBSD box, I figured that I will have to update the path on the system with directory path of the ~/.cargo/bin. I added the following line in the ~/.cshrc file for the same.

set path = ( $path /home/kdas/.cargo/bin)

I am yet to learn much about csh, but, I can count this as a start.

Hey. It looks like we’re in August now. Summer is coming to an end fast!

What happened this week? One of my mentors came back from holidays and we had a sync up call on Monday, and another one on Thursday (which should’ve been on Wednesday but I overslept. Set your alarms students!). We discussed the state of the project and what else can we do before GSoC ends.

At the start of the week I opened a PyTorch PR that supports both image and text explanations.

One thing that I was stuck on was saving and loading PyTorch models. Unlike in Keras where you can use one function call to load a model, in PyTorch there are multiple steps: get the class for the model, instantiate a model object, load the saved “state dict” into that new instance. In my case I was stuck on instantiating the model object, which required passing pre-trained word embeddings. My workaround was passing a tensor of zeros (instead of for example passing glove vectors, which were in the “state dict” anyways).

For the rest of the week I worked on the text PR. The first major progression was in adding integration tests. It took me some time to train and prepare two quality models from scratch, one for sentiment classification and another for multi-class classification.

Another development was in the documentation - function docstrings, library docs for text, adding new packages to the index, etc.

Manually testing the text PR, everything looked good apart from a few things. There was an issue with explaining “1D” layers (dense/fully-connected and final recurrent layers) that I fixed by adding special case code.

A remaining issue is with multi-label classification (https://keras.io/datasets/#reuters-newswire-topics-classification), where the explanations do not explain anything. One of my mentor’s suggested solutions was starting with a simple model and building from there.

These were the major issues and solutions for week 10. For week 11 I hope to follow this rough schedule:

Monday

• In the text PR, move changes to the image API to a new PR. This way we can merge PR’s faster and possibly get early feedback.

Tuesday

• Text PR remaining unit tests.
• Text PR tutorial (now that I have two good models from the integration tests).

Wednesday

• Text PR ad hoc tasks (FIXME’s, look at other implementations).
• PyTorch PR refactor code (^).

Thursday

• PyTorch PR tests (manual and automated?).
• PyTorch PR docs, tutorial.

Friday

• Contingency (^^^)

That’s all for the week. Thank you for reading!

Tomas Baltrunas

So the Python Software Foundation has contracted with my firm, Changeset Consulting, to help communicate about the sunsetting of Python 2. The high-level goal for Changeset's involvement is to help users through the end of the transition, help with communication so volunteers are not overwhelmed, and help update public-facing assets so core developers are not overwhelmed.

During this project (starting now and going till the end of April 2020), Changeset's goals are:

• Create a concise page on python.org giving community guidance on the why and what of EOL
• Create and publicize a formal press release through the PSF
• Audit and update every mention of Python 2 on python.org, including in documentation and the wiki
• Develop a plan to handle redirecting https://docs.python.org/2/* (especially deep links)
• Publicize the new "what's up with EOL" page to a variety of audiences, respond to questions, and keep the page updated until PyCon US 2020 based on questions that come up

So, towards those goals, you'll see me with my colleagues:

• Researching, writing, and editing technical documents and the press release
• Corresponding with stakeholders, writing and publishing announcements and other communications in multiple media
• Initiating and facilitating meetings (I will try to make them very minimal and short; if I invite you, please let me know your response)
• Filing, triaging, labelling, prioritizing, and linking issues, such as in the website repo

For accountability, Changeset will provide reporting via:

• A publicly visible project roadmap, including milestones, probably within the pythondotorg repo
• A public rundown of all work completed at the end of each milestone, probably on the Discourse forum at discuss.python.org or on the pydotorg-www mailing list
• A brief written or oral monthly report to the Steering Council
• As necessary, updates to the PSF board
• If requested by PSF, blog posts monthly or more rarely, on the PSF blog or Python Insider
• (potentially) a PyCon North America birds-of-a-feather session in April 2020

I'm going to be asking for a lot of help along the way from the Python community: meeting with us, answering our questions, double-checking our drafts for accuracy, publicizing that EOL page to your circles, setting up some parties for January 1st. Thanks in advance and let's get the Python user base further along towards enjoying the shininess of Python 3.

This blog post takes a look back at the various Multimedia-related tasks the Igalia Multimedia team was involved in during the first half of 2019.

User management in Django admin is a tricky subject. If you enforce too many permissions, then you might interfere with day-to-day operations. If you allow for permissions to be granted freely without supervision, then you put your system at risk.

Django provides a good authentication framework with tight integration to Django admin. Out of the box, Django admin does not enforce special restrictions on the user admin. This can lead to dangerous scenarios that might compromise your system.

Did you know staff users that manage other users in the admin can edit their own permissions? Did you know they can also make themselves superusers? There is nothing in Django admin that prevents that, so it’s up to you!

By the end of this tutorial, you’ll know how to protect your system:

• Protect against permission escalation by preventing users from editing their own permissions
• Keep permissions tidy and maintainable by only forcing users to manage permissions only using groups
• Prevent permissions from leaking through custom actions by explicitly enforcing the necessary permissions

Model Permissions

Permissions are tricky. If you don’t set permissions, then you put your system at risk of intruders, data leaks, and human errors. If you abuse permissions or use them too much, then you risk interfering with day-to-day operations.

Django comes with a built-in authentication system. The authentication system includes users, groups, and permissions.

When a model is created, Django will automatically create four default permissions for the following actions:

1. add: Users with this permission can add an instance of the model.
2. delete: Users with this permission can delete an instance of the model.
3. change: Users with this permission can update an instance of the model.
4. view: Users with this permission can view instances of this model. This permission was a much anticipated one, and it was finally added in Django 2.1.

Permission names follow a very specific naming convention: <app>.<action>_<modelname>.

Let’s break that down:

• <app> is the name of the app. For example, the User model is imported from the auth app (django.contrib.auth).
• <action> is one of the actions above (add, delete, change, or view).
• <modelname> is the name of the model, in all lowercase letters.

Knowing this naming convention can help you manage permissions more easily. For example, the name of the permission to change a user is auth.change_user.

How to Check Permissions

Model permissions are granted to users or groups. To check if a user has a certain permission, you can do the following:

>>> fromdjango.contrib.auth.modelsimportUser>>> u=User.objects.create_user(username='haki')>>> u.has_perm('auth.change_user')False

It’s worth mentioning that .has_perm() will always return True for active superuser, even if the permission doesn’t really exist:

>>> fromdjango.contrib.auth.modelsimportUser>>> superuser=User.objects.create_superuser(... username='superhaki',... email='me@hakibenita.com',... password='secret',)>>> superuser.has_perm('does.not.exist')True

As you can see, when you’re checking permissions for a superuser, the permissions are not really being checked.

How to Enforce Permissions

Django models don’t enforce permissions themselves. The only place permissions are enforced out of the box by default is Django Admin.

The reason models don’t enforce permissions is that, normally, the model is unaware of the user performing the action. In Django apps, the user is usually obtained from the request. This is why, most of the time, permissions are enforced at the view layer.

For example, to prevent a user without view permissions on the User model from accessing a view that shows user information, do the following:

fromdjango.core.exceptionsimportPermissionDenieddefusers_list_view(request):ifnotrequest.user.has_perm('auth.view_user'):raisePermissionDenied()

If the user making the request logged in and was authenticated, then request.user will hold an instance of User. If the user did not login, then request.user will be an instance of AnonymousUser. This is a special object used by Django to indicate an unauthenticated user. Using has_perm on AnonymousUser will always return False.

If the user making the request doesn’t have the view_user permission, then you raise a PermissionDenied exception, and a response with status 403 is returned to the client.

To make it easier to enforce permissions in views, Django provides a shortcut decorator called permission_required that does the same thing:

fromdjango.contrib.auth.decoratorsimportpermission_required@permission_required('auth.view_user')defusers_list_view(request):pass

To enforce permissions in templates, you can access the current user permissions through a special template variable called perms. For example, if you want to show a delete button only to users with delete permission, then do the following:

{%ifperms.auth.delete_user%}<button>Delete user!</button>{%endif%}

Some popular third party apps such as the Django rest framework also provide useful integration with Django model permissions.

Django Admin and Model Permissions

Django admin has a very tight integration with the built-in authentication system, and model permissions in particular. Out of the box, Django admin is enforcing model permissions:

• If the user has no permissions on a model, then they won’t be able to see it or access it in the admin.
• If the user has view and change permissions on a model, then they will be able to view and update instances, but they won’t be able to add new instances or delete existing ones.

With proper permissions in place, admin users are less likely to make mistakes, and intruders will have a harder time causing harm.

Implement Custom Business Roles in Django Admin

One of the most vulnerable places in every app is the authentication system. In Django apps, this is the User model. So, to better protect your app, you are going to start with the User model.

First, you need to take control over the User model admin page. Django already comes with a very nice admin page to manage users. To take advantage of that great work, you are going to extend the built-in User admin model.

Setup: A Custom User Admin

To provide a custom admin for the User model, you need to unregister the existing model admin provided by Django, and register one of your own:

fromdjango.contribimportadminfromdjango.contrib.auth.modelsimportUserfromdjango.contrib.auth.adminimportUserAdmin# Unregister the provided model adminadmin.site.unregister(User)# Register out own model admin, based on the default UserAdmin@admin.register(User)classCustomUserAdmin(UserAdmin):pass

Your CustomUserAdmin is extending Django’s UserAdmin. You did that so you can take advantage of all the work already done by the Django developers.

At this point, if you log into your Django admin at http://127.0.0.1:8000/admin/auth/user, you should see the user admin unchanged:

By extending UserAdmin, you are able to use all the built-in features provided by Django admin.

Prevent Update of Fields

Unattended admin forms are a prime candidate for horrible mistakes. A staff user can easily update a model instance through the admin in a way the app does not expect. Most of the time, the user won’t even notice something is wrong. Such mistakes are usually very hard to track down and fix.

To prevent such mistakes from happening, you can prevent admin users from modifying certain fields in the model.

If you want to prevent any user, including superusers, from updating a field, you can mark the field as read only. For example, the field date_joined is set when a user registers. This information should never be changed by any user, so you mark it as read only:

fromdjango.contribimportadminfromdjango.contrib.auth.modelsimportUserfromdjango.contrib.auth.adminimportUserAdmin@admin.register(User)classCustomUserAdmin(UserAdmin):readonly_fields=['date_joined',]

When a field is added to readonly_fields, it will not be editable in the admin default change form. When a field is marked as read only, Django will render the input element as disabled.

But, what if you want to prevent only some users from updating a field?

Conditionally Prevent Update of Fields

Sometimes it’s useful to update fields directly in the admin. But you don’t want to let any user do it: you want to allow only superusers to do it.

Let’s say you want to prevent non-superusers from changing a user’s username. To do that, you need to modify the change form generated by Django, and disable the username field based on the current user:

fromdjango.contribimportadminfromdjango.contrib.auth.modelsimportUserfromdjango.contrib.auth.adminimportUserAdmin@admin.register(User)classCustomUserAdmin(UserAdmin):defget_form(self,request,obj=None,**kwargs):form=super().get_form(request,obj,**kwargs)is_superuser=request.user.is_superuserifnotis_superuser:form.base_fields['username'].disabled=Truereturnform

Let’s break it down:

• To make adjustments to the form, you override get_form(). This function is used by Django to generate a default change form for a model.
• To conditionally disable the field, you first fetch the default form generated by Django, and then if the user is not a superuser, disable the username field.

Now, when a non-superuser tries to edit a user, the username field will be disabled. Any attempt to modify the username through Django Admin will fail. When a superuser tries to edit the user, the username field will be editable and behave as expected.

Prevent Non-Superusers From Granting Superuser Rights

Superuser is a very strong permission that should not be granted lightly. However, any user with a change permission on the User model can make any user a superuser, including themselves. This goes against the whole purpose of the permission system, so you want to close this hole.

Based on the previous example, to prevent non-superusers from making themselves superusers, you add the following restriction:

fromtypingimportSetfromdjango.contribimportadminfromdjango.contrib.auth.modelsimportUserfromdjango.contrib.auth.adminimportUserAdmin@admin.register(User)classCustomUserAdmin(UserAdmin):defget_form(self,request,obj=None,**kwargs):form=super().get_form(request,obj,**kwargs)is_superuser=request.user.is_superuserdisabled_fields=set()# type: Set[str]ifnotis_superuser:disabled_fields|={'username','is_superuser',}forfindisabled_fields:iffinform.base_fields:form.base_fields[f].disabled=Truereturnform

In addition to the previous example, you made the following additions:

1. You initialized an empty set disabled_fields that will hold the fields to disable. set is a data structure that holds unique values. It makes sense to use a set in this case, because you only need to disable a field once. The operator |= is used to perform an in-place OR update. For more information about sets, check out Sets in Python.

2. Next, if the user is a superuser, you add two fields to the set (username from the previous example, and is_superuser). They will prevent non-superusers from making themselves superusers.

3. Lastly, you iterate over the fields in the set, mark all of them as disabled, and return the form.

Django User Admin Two-Step Form

When you create a new user in Django admin, you go through a two-step form. In the first form, you fill in the username and password. In the second form, you update the rest of the fields.

This two-step process is unique to the User model. To accommodate this unique process, you must verify that the field exists before you try to disable it. Otherwise, you might get a KeyError. This is not necessary if you customize other model admins.

For more information about KeyError, check out Python KeyError Exceptions and How to Handle Them.

Grant Permissions Only Using Groups

The way permissions are managed is very specific to each team, product, and company. I found that it’s easier to manage permissions in groups. In my own projects, I create groups for support, content editors, analysts, and so on. I found that managing permissions at the user level can be a real hassle. When new models are added, or when business requirements change, it’s tedious to update each individual user.

To manage permissions only using groups, you need to prevent users from granting permissions to specific users. Instead, you want to only allow associating users to groups. To do that, disable the field user_permissions for all non-superusers:

fromtypingimportSetfromdjango.contribimportadminfromdjango.contrib.auth.modelsimportUserfromdjango.contrib.auth.adminimportUserAdmin@admin.register(User)classCustomUserAdmin(UserAdmin):defget_form(self,request,obj=None,**kwargs):form=super().get_form(request,obj,**kwargs)is_superuser=request.user.is_superuserdisabled_fields=set()# type: Set[str]ifnotis_superuser:disabled_fields|={'username','is_superuser','user_permissions',}forfindisabled_fields:iffinform.base_fields:form.base_fields[f].disabled=Truereturnform

You used the exact same technique as in the previous sections to implement another business rule. In the next sections, you’re going to implement more complex business rules to protect your system.

Prevent Non-Superusers From Editing Their Own Permissions

Strong users are often a weak spot. They possess strong permissions, and the potential damage they can cause is significant. To prevent permission escalation in case of intrusion, you can prevent users from editing their own permissions:

fromtypingimportSetfromdjango.contribimportadminfromdjango.contrib.auth.modelsimportUserfromdjango.contrib.auth.adminimportUserAdmin@admin.register(User)classCustomUserAdmin(UserAdmin):defget_form(self,request,obj=None,**kwargs):form=super().get_form(request,obj,**kwargs)is_superuser=request.user.is_superuserdisabled_fields=set()# type: Set[str]ifnotis_superuser:disabled_fields|={'username','is_superuser','user_permissions',}# Prevent non-superusers from editing their own permissionsif(notis_superuserandobjisnotNoneandobj==request.user):disabled_fields|={'is_staff','is_superuser','groups','user_permissions',}forfindisabled_fields:iffinform.base_fields:form.base_fields[f].disabled=Truereturnform

The argument obj is the instance of the object you are currently operating on:

• When obj is None, the form is used to create a new user.
• When obj is not None, the form is used to edit an existing user.

To check if the user making the request is operating on themselves, you compare request.user with obj. Because this is the user admin, obj is either an instance of User, or None. When the user making the request, request.user, is equal to obj, then it means that the user is updating themselves. In this case, you disable all sensitive fields that can be used to gain permissions.

The ability to customize the form based on the object is very useful. It can be used to implement elaborate business roles.

Override Permissions

It can sometimes be useful to completely override the permissions in Django admin. A common scenario is when you use permissions in other places, and you don’t want staff users to make changes in the admin.

Django uses hooks for the four built-in permissions. Internally, the hooks use the current user’s permissions to make a decision. You can override these hooks, and provide a different decision.

To prevent staff users from deleting a model instance, regardless of their permissions, you can do the following:

fromdjango.contribimportadminfromdjango.contrib.auth.modelsimportUserfromdjango.contrib.auth.adminimportUserAdmin@admin.register(User)classCustomUserAdmin(UserAdmin):defhas_delete_permission(self,request,obj=None):returnFalse

Just like with get_form(), obj is the instance you currently operate on:

• When obj is None, the user requested the list view.
• When obj is not None, the user requested the change view of a specific instance.

Having the instance of the object in this hook is very useful for implementing object-level permissions for different types of actions. Here are other use cases:

• Preventing changes during business hours
• Implementing object-level permissions

Restrict Access to Custom Actions

Custom admin actions require special attention. Django is not familiar with them, so it can’t restrict access to them by default. A custom action will be accessible to any admin user with any permission on the model.

To illustrate, add a handy admin action to mark multiple users as active:

fromdjango.contribimportadminfromdjango.contrib.auth.modelsimportUserfromdjango.contrib.auth.adminimportUserAdmin@admin.register(User)classCustomUserAdmin(UserAdmin):actions=['activate_users',]defactivate_users(self,request,queryset):cnt=queryset.filter(is_active=False).update(is_active=True)self.message_user(request,'Activated {} users.'.format(cnt))activate_users.short_description='Activate Users'# type: ignore

Using this action, a staff user can mark one or more users, and activate them all at once. This is useful in all sorts of cases, such as if you had a bug in the registration process and needed to activate users in bulk.

This action updates user information, so you want only users with change permissions to be able to use it.

Django admin uses an internal function to get actions. To hide activate_users() from users without change permission, override get_actions():

fromdjango.contribimportadminfromdjango.contrib.auth.modelsimportUserfromdjango.contrib.auth.adminimportUserAdmin@admin.register(User)classCustomUserAdmin(UserAdmin):actions=['activate_users',]defactivate_users(self,request,queryset):assertrequest.user.has_perm('auth.change_user')cnt=queryset.filter(is_active=False).update(is_active=True)self.message_user(request,'Activated {} users.'.format(cnt))activate_users.short_description='Activate Users'# type: ignoredefget_actions(self,request):actions=super().get_actions(request)ifnotrequest.user.has_perm('auth.change_user'):delactions['activate_users']returnactions

get_actions() returns an OrderedDict. The key is the name of the action, and the value is the action function. To adjust the return value, you override the function, fetch the original value, and depending on the user permissions, remove the custom action activate_users from the dict. To be on the safe side, you assert the user permission in the action as well.

For staff users without change_user() permissions, the action activate_users will not appear in the actions dropdown.

Conclusion

Django admin is a great tool for managing a Django project. Many teams rely on it to stay productive in managing day-to-day operations. If you use Django admin to perform operations on models, then it’s important to be aware of permissions. The techniques described in this article are useful for any model admin, not just the User model.

In this tutorial, you protected your system by making the following adjustments in Django Admin:

• You protected against permission escalation by preventing users from editing their own permissions.
• You kept permissions tidy and maintainable by only forcing users to manage permissions only using groups.
• You prevented permissions from leaking through custom actions by explicitly enforcing the necessary permissions.

Your User model admin is now much safer than when you started!

[ Improve Your Python With 🐍 Python Tricks 💌 – Get a short & sweet Python Trick delivered to your inbox every couple of days. >> Click here to learn more and see examples ]

5 years ago today, this happened:

commit 11a94957dc038fc27c5ff976197ad2b2d0352d20
Author: Florian Bruhin <git@the-compiler.org>
Date:   Sat Dec 14 22:15:16 2013 +0100

    Initial commit

That's how qutebrowser looked a day after that (and that commit still seems to run!): https://imgur.com/a/xoG1r4G

Exactly a year later, things …

Hello everyone.

The time is finally getting into me. I feel I am really late on everything I planned, and I know I am the one to blame.

This week we finally merged my code for the command setup, and with it we had tests, documentation and the fix of the first issues.

What mostly got into me was the lack of knowledge about how to fulfill a full project. I underestimated the tasks, and didn't pay attention to all the details it was necessary for my project to be 100%. This serves as learning, as now I am way more confident about planning, coding and delivering a full-realized project.

Delays are expected; that's why I left a 3-weeks time for writing and polishing before the end of the period. What I didn't expect was that I had so much to learn and my motivation dropping together with my university exams week. Today I feel more motivated, as one step of the project was fulfilled, and I know I still have a chance to do better until the end of the program. That's where my focus will be.

Writing code is not only about knowing the tools, but creativity and time commitment. Thinking is crucial for a good code, but also is having a good pace on how you're writing. Keeping communication with my mentors was hard to me, but within the period of 2 weeks of good communication I finally got back on track.

I expect to be way more positive in my next blog post :-)

And with more PRs merged!

Leonardo Rodrigues.

Data visualization is a big part of the process of data analysis. In this post, we will learn how make a scatter plot using Python and the package Seaborn. In detail, we will learn how to use the Seaborn methods scatterplot, regplot, lmplot, and pairplot to create scatter plots in Python.

More specifically, we will learn how to make scatter plots, change the size of the dots, change the markers, the colors, and change the number of ticks.  Furthermore, we will learn how to plot a regression line, add text, plot a distribution on a scatter plot, among other things. Finally, we will also learn how to save Seaborn plots in high resolution. That is, we learn how to make print-ready plots.

Scatter plots are powerful data visualization tools that can reveal a lot of information. Thus, this Python scatter plot tutorial will start explain what they are and when to use them. After we done that, we will learn how to make scatter plots.

What is a Scatter Plot

A scatter plot is a two-dimensional (bivariate) data visualization that uses dots to represent the values gathered for two different variables. That is, one of the variables is plotted along the x-axis and the other plotted along the y-axis. For example, this scatter plot shows the relationship between a child’s height and the parents height.

When to Use a Scatter Plot

Scatter plots are used when we want to visualize the relationship between two variables. Furthermore, scatter plots are sometimes called correlation plots because they reveal how two variables are correlated. In the child and parent height example, the chart wasn’t just a simple log of the height of a set of children and parents, but it also visualized the relationship between a child’s height and it’s parents height. That is, namely that the child’s height increases as the parents height increases. Notice that the relationship isn’t perfect, some children are shorter than their parents. However, this trend is general and relatively pretty strong. Using Python and Seaborn we can also visualize this trend and correlation:

Python Scatter Plot Tutorial

This is exactly what we are going to learn in this tutorial; how to make a scatter plot using Python and Seaborn.

In the first code chunk, below, we are importing the packages we are going to use. Furthermore, to get data to visualize (i.e., create scatter plots) we load this from an URL. Note, the %matplotlib inline code is only needed if we want to display the scatter plots in a Jupyter Notebook. This is also the case for the import warnings and warnings.filterwarnings(‘ignore’) part of the code.

%matplotlib inline
import numpy as np
import pandas as pd
import seaborn as sns

# Suppress warningsimport warnings
warnings.filterwarnings('ignore')

# Import Data
data = 'https://vincentarelbundock.github.io/Rdatasets/csv/datasets/mtcars.csv'
df = pd.read_csv(data, index_col=0)

df.head()

How to use Seaborn to create Scatter Plots in Python

In this section we will learn how to make scatter plots using Seaborns scatterplot, regplot, lmplot, and pairplot methods.

Seaborn Scatter plot using the scatterplot method

First, we start with the most obvious method to create scatter plots using Seaborn: using the scatterplot method. In the first Seaborn scatter plot example, below, we plot the variables wt (x-axis) and mpg (y-axis). This will give us a simple scatter plot:

sns.scatterplot(x='wt', y='mpg', data=df)

Size of the dots

If we want to have the size of the dots represent one of the variables this is possible.  In the next example, we change the size of the dots using the size argument.

sns.scatterplot(x='wt', y='mpg',
                size='wt', data=df)

Change the Axis

In the next Seaborn scatter plot example we are going to learn how to change the ticks on the x- and y-axis’. That is, we are going to change the number of ticks on each axis. To do this we use the set methods and use the arguments xticks and yticks:

ax = sns.scatterplot(x='wt', y='mpg', size='wt', data=df)
ax.set(xticks=np.arange(1, 6, 1),
      yticks=np.arange(5, 50, 10))

Grouped Scatter Plot in Seaborn

If we have a categorical variable (i.e., a factor) and want to group the dots in the scatter plot we use the hue argument:

sns.scatterplot(x='wt', y='mpg',
                hue='vs', data=df)

Changing the Markers (the dots)

Now, one way to change the look of the markers is to use the style argument.

data = 'https://vincentarelbundock.github.io/Rdatasets/csv/carData/Burt.csv'
df = pd.read_csv(data, index_col=0)
sns.scatterplot(x='IQbio', y='IQfoster', style='class',
                hue='class', data=df)

Note, should also be possible to use the markers argument. However, it seems not to work, right now.

Bivariate Distribution on Scatter plot

In the next Seaborn scatter plot example we are going to plot a bivariate distribution on top of our scatter plot. This is quite simple and after we have called the scatterplot method we use the kdeplot method:

data = 'https://vincentarelbundock.github.io/Rdatasets/csv/datasets/mtcars.csv'
df = pd.read_csv(data, index_col=0)

sns.scatterplot(x='wt', y='mpg', data=df)
sns.kdeplot(df.wt, df.mpg)

Seaborn Scatter plot using the regplot method

If we want a regression line (trend line) plotted on our scatter plot we can also use the Seaborn method regplot. In the first example, using regplot, we are creating a scatter plot with a regression line. Here, we also get the 95% confidence interval:

sns.regplot(x='wt', y='mpg', data=df)

Scatter Plot Without Confidence Interval

We can also choose to create a scatter plot without the confidence interval. This is simple, we just add the ci argument and set it to None:

sns.regplot(x='wt', y='mpg',
            ci=None, data=df)

Note, the ci argument can also take a numerical value. That is, if we want a plot with 70% confidence interval we just change the ci=None to ci=70.

Seaborn regplot Without Regression Line

Furthermore, it’s possible to create a scatter plot without the regression line using the regplot method. In the next example, we just add the argument reg_fit and set it to False:

sns.regplot(x='wt', y='mpg',
            fit_reg=False, data=df)

Changing the Number of Ticks

It’s also possible to change the number of ticks when working with Seaborn regplot. In fact, it’s as simple as working with the scatterplot method, we used earlier. To change the ticks we use the set method and the xticks and yticks arguments:

ax = sns.regplot(x='wt', y='mpg', data=df)
ax.set(xticks=np.arange(1, 6, 1),
      yticks=np.arange(5, 50, 10))

Changing the Color on the Scatterplot

If we want to change the color of the plot, it’s also possible. We just have to use the color argument. In the regplot example below we are getting a green trend line and green dots:

sns.regplot(x='wt', y='mpg',
            color='g', data=df) 

Adding Text to a Seaborn Plot

In the next example, we are going to learn how to add text to a Seaborn plot. Remember the plot, in the beginning, showing the relationship between children’s height and their parents height? In that plot there was a regression line as well as the correlation coeffienct and p-value. Here we are going to learn how to add this to a scatter plot. First, we start by using pearsonr to calculate the correlation between the variables wt and mpg:

from scipy.stats import pearsonr

corr = pearsonr(df['wt'], df['mpg'])
corr = [np.round(c, 2) for c in corr]
print(corr)
# Output: [-0.87, 0.0]

In the next code chunk we are creating a string variable getting our pearson r and p-value (corr[0] and corr[1], respectively). Next, we create the scatter plot with the trend line and, finally, add the text. Note, the first tow arguments are the coordinates where we want to put the text:

text = 'r=%s, p=%s' % (corr[0], corr[1])
ax = sns.regplot(x="wt", y="mpg", data=df)
ax.text(4, 30, text, fontsize=12)

Seaborn Scatter Plot with Trend Line and Density

It’s, of course, also possible to plot a bivariate distrubiton on the scatter plot with a regression line. In the final example, using Seaborn regplot we just add the kernel density estimation using Seaborn kde method:

import seaborn as sns

sns.regplot(x='wt', y='mpg',
            ci=None, data=df)
sns.kdeplot(df.wt, df.mpg)

How to Rotate the Axis Labels on a Seaborn Plot

If the labels on the axis’ are long, we may want to rotate them for readability. It’s quite simple to rotate the axis labels on the regplot object. Here we rotatelabels on the x-axis 90 degrees:

ax = sns.regplot(x='wt', y='mpg', data=df)
for item in ax.get_xticklabels():
    item.set_rotation(90)

Scatter Plot Using Seaborn lmplot Method

In this section we are going to cover Seaborn’s lmplot method. This method enables us create grouped Scatter plots with a regression line.

In the first example, we are just creating a Scatter plot with the trend lines for each group. Note, here we use the argument hue to set what varible we want to group by.

sns.lmplot(x='wt', y='mpg',
           hue='vs', data=df)

Changing the Color Using the Palette Argument

When working with Seaborn’s lmplot method we can also change the color of the lines, CIs, and dots using the palette argument. See here for different palettes to use.

sns.lmplot(x='wt', y='mpg', hue='vs',
           palette="Set1", data=df)

Change the Markers on the lmplot

As previously mentioned, when creating scatter plots, the markers can be changed using the markers argument. In the next Seaborn lmplot example we are changing the markers to crosses:

sns.lmplot(x='wt', y='mpg',
           hue='vs', palette="Set1", markers='+', data=df)

Furthermore, it’s also possible to change the markers of two, or more, categories. In the example below we use a list with the cross and “star” and get a plot with crosses and stars, for each gorup.

sns.lmplot(x='wt', y='mpg',
           hue='vs',
           palette="Set1", markers=['+', '*'], data=df)

See here for different markers that can be used with Seaborn plots.

Seaborn Pairplot: Scatterplot + Histogram

In the last section, before learning how to save high resolution images, we are going to use Seaborn’s pairplot method. The pairplot method will create pairs of plots

data = 'https://vincentarelbundock.github.io/Rdatasets/csv/datasets/mtcars.csv'
df = pd.read_csv(data, index_col=0)
df = dfdf[['mpg', 'wt', 'hp', 'qsec']
sns.pairplot(df)

Pairplot with Grouped Data

If we want to group the data, with different colors for different categories, we can use the argument hue, also with pairplot. In this Python data visualization example we also use the argument vars with a list to select which variables we want to visualize:

cols = ['mpg', 'wt', 'hp', 'qsec']
sns.pairplot(df, vars=cols, hue='vs')

Saving a High Resolution Plot in Python

If we are planning to publish anything we need to save the data visualization(s) to a high resolution file. In the last code example, below, we will learn how to save a high resolution image using Python and matplotlib.

ax = sns.pairplot(df, vars=cols, hue='vs')
plt.savefig('pairplot.eps', format='eps', dpi=300)

Here’s a link to a Jupyter Notebook containing all of the above code.

Conclusion

In this post we have larned how to make scatter plots in Seaborn. Moreover, we have also learned how to:

• work with the Seaborn’s scatterplot, regplot, lmplot, and pairplot methods
• change color, number of axis ticks, the markers, and how to rotate the axis labels of Seaborn plots
• save a high resolution, and print ready, image of a Seaborn plot

The post How to Make a Scatter Plot in Python using Seaborn appeared first on Erik Marsja.