Basically I would like to have a permission system like Linux file system. I want to classify the permissions whether the user is in the same group as the owner (creator) of the object.
Example scenario:
User can change objects created by someone in the same group as them.
Group Admins can change and delete any object created by users in their group.
Is it possible to do this with default django permission system? If not, is there a package you could recommend?
I hope I am not missing anything basic in django docs but I couldn't find a way to accomplish this.
Is it possible in django to create permission to control (view/add/delete/change) user accounts only from specific group or e. g. having flag is_staff set to false? How can I do it?
For example, users from 'operators' group can manage users from 'clients' group and cannot control (even view) staff user accounts in admin interface.
Yes, it's possible to do that. You can specify groups of users and assign particular rights to them. It's quite well described in the docs - please see here: https://docs.djangoproject.com/en/1.8/topics/auth/default/#permissions-and-authorization
Hope that helps!
I'm a bit unsure what to use Django user groups for.
I have an application where every user belongs to a different organisation. The organisations don't have anything to do with read/write permissions. It's just a way to separate groups of users. Every organisation needs some additional fields, like a name, URL, and email address. New organisations will be added to the system over time.
Within every organisation, users can have different permissions for moderation and administration, for which I (also) want to use user groups.
My question: Should I use Django's user groups to define the organisations, or should I just make an 'Organisation' model with a relation to the user?
Nope. User groups are made for different reasons. You CAN use them to define organisations but I think you should think bit further ahead:
will the organisation require more fields than just name?
perhaps you will need permissions in the future to define users roles within organisations?
I'm sure you can come up with more things to think of. But if you answered yes to one of those questions then just create your Organisation model.
1) You need to add group from django admin side under group table.
2) And while creating new user, assign specific group to user using user_obj.groups.add(group_id). Or Let user select group at frontend.
and then user_obj.save()
in Group table, you can create organization
OR
You can create individual organization table and assign assign user to specific organization.
I want to be able to efficiently find all user with a particular permission and then among those users find all users who have a particular flag (I extended the base User model and created my own, which has the flag). I was wondering what is the easiest/efficient way to do this? I was reading the below (among other sites):
How can I get all objects a user has specific permissions to in django guardian?
But they dont seem to be helping in my situation. Please let me know if there is an article I missed, thanks!
[EDIT]
I read the following page:
http://digitaldreamer.net/blog/2010/5/10/get-all-users-group-django/
Basically I want to get all users who have a particular permission AND who have a certain flag. Right now I can do: User.objects.filter(organization_id = id) to get all users within a particular organization as per my code. But within that list, I want all users who have a particular permission.
I asked a question related to django-guardian and answered it myself after much research. I believe you should be able to find your answer here: Django Groups and Permissions. Extending Groups to have a FK?
UPDATE
You could do something like this:
user_list = []
for user in User.Objects.filter(organization_id=id):
if user.has_perm('PERM NAME'):
user_list.append(user)
See this link for more details: http://packages.python.org/django-guardian/userguide/check.html
You could do it as mentioned above. But by chaining filter statements, it is also possible. I referred to this other question: How to get a list of all users with a specific permission group in Django. By chaining both filter statements, I can get all users with a permission and all users with the certain organization_id.
The Django site I'm working on has the possibility for users to sign up for an account. To provide them with some editing functionality, I use the built-in Django admin. However, I'm having a problem: After a user has signed up, they don't have any permissions inside the Django admin, not even view permissions. Thus my question: How do I, in code, assign admin permissions to the user for the relevant models, in the same way I can assign them manually in the "User Permissions" section when editing the user in the admin? I've already tried with the usual has_xxx_permissions() using custom ModelAdmin classes, but that didn't work. So my guess is that I overlooked something obvious. Any ideas?
https://docs.djangoproject.com/en/dev/topics/auth/default/#permissions-and-authorization
new_user.user_permissions.add(permission1, permission2, etc...)
For your purposes, it would probably be much more easy and and efficient to assign all new users to a particular group, and then give that group all the permissions the user needs. Any member of the group will inherit those permissions as well.
You can create the group and assign the permissions to it in the admin. Then, you just need to add something like the following to your registration code.
try:
group = Group.objects.get(name='The User Group')
except Group.DoesNotExist:
# group should exist, but this is just for safety's sake, it case the improbable should happen
pass
else:
user.groups.add(group)
dgel's answer pointed me in the direction which lead to a working solution for me. Essentially, what he seems to be suggesting is:
Retrieve a ContentType for the model you want to set permissions for. In this context, a content type is an object that holds information about a Django model.
Create a Permission object consisting of the content type and the action you want to allow inside the admin, using Permission.objects.get(). The only difficulty here is figuring out the codename parameter, which, for admin permissions, consists of an action ("add", "change" or "delete"), an underscore, and the model name. So if you have a model called Foo and you want to create all permissions for it, you'll need 3 permissions, each with the content type of your Foo model plus the code names add_foo, change_foo, and delete_foo.
Assign these permissions using user.user_permissions.add(permission).
Head over to dgel's answers for code examples. Looking at a data dump of the auth app (manage.py dumpdata auth) of an existing Django database provided me with insights into the inner workings of permissions, too.
I'll answer your question exactly since I found this question with Google. I'll show what I'm doing in Django 1.9 with groups, then show how to do it to a user.
from django.contrib.auth.models import Group, Permission
group, __ = Group.objects.get_or_create(name='my_group')
permissions = Permission.objects.all()
for p in permissions:
group.permissions.add(p)
group.save()
It's pretty easy to adapt to user:
from django.contrib.auth.models import Permission
permissions = Permission.objects.all()
for p in permissions:
youruser.user_permissions.add(p)
youruser.save()
I prefer group because you may be adding permissions in the future and can just add to group instead of re-doing all users.
As of Django 1.6:
Every User has a many-to-many field user_permissions to Permission - you can add permissions to this:
your_user.user_permissions.add(permission)
v1.6 Docs:
Django.contrib.auth API (shows User, Group and Permission objects)
Auth default permissions (shows how to clear, add, remove)