Dynamic User Templates/Content

(Edward Beck) #1

I am modeling an internal workflow system, where auto communications are expected, and am trying to determine how to accomplish user defined message templating based on other BPM solutions I’ve used/seen. TLDR: in a flow or task, they can ask than a message be generated and sent, and can write the message using normal text, along with object variables such as [username], [created_date], etc. basically from core model fields.

Where I’m stuck is how to store the variables and how to parse. Looking for general guidance and suggestions rather than specific code, to determine how painful this would be.

  1. Store message text with embedded field codes (that they choose from). Then parse in a view to obtain the relevant values, then serve to the main template for rendering (in a page or sent as a message). A layered view for the lack of a better definition.

  2. Store their message object as a template.html object in a dedicated media folder, stripping any illegal variables from the text to avoid attacks/info leaks (only allow {{}} for supplied objects from the workflow data). Then any rendering (html or email) would use that template object to render out contents.

I tried google and StackOverflow, but the terms are too generic to get good results, if ever discussed. I’m sure this has to have been attempted before, so would love input from anyone who might see one direction over the other. I am leaning to #2, but have seen warnings against allowing end users to supply template code, but this would be in a very contained manner, and I would have a routine to strip all other field codes they try and slip in.

Sample message:
“Hello, we have a new client {{client.name}} as of {{client.signed_on}}, and will be kicking off our project on {{client.project.start}}. Please ….”

To start, I will create templated messages like this, but as it evolves, I want to allow certain users the rights to tag any task/operation in a flow to send alert messages and have them provide the messaging.
Sorry for the long post, but thought I might get some interesting discussion here. Thanks for reading.

(Lúcio Henrique) #2

Edward, maybe you can create some defined tags like CLIENT_NAME, PROJECT_NAME, and others and make it available to the user creating a template message with a specific syntax. For example:
" Hello [[ CLIENT_NAME ]], welcome to project [[ PROJECT_NAME ]]".

So you can parse this message and replace [[ XX ]] with django/jinja template messages. With this approach, you can set only allowed tags. After parse, a tip is using render_to_string() template tag.

(Edward Beck) #3

Hi Lúcio - that is precisely what I am looking to do, but am stuck in how to have Django parse the custom tags embedded in a model field content, and then include in the render to string. So in your suggestion, would you have the custom user message saved as a template in the templates directory instead of the database? I can see that working to produce the desired messages, but am worried about the security implications and managing the template files.