Django permission and authorization - django

I am working on Django project and I want to make model-based permission, my question is if I have an app named order, the default permissions are add_order,change_order,delete_order and view_order, so are those permission exists only for the admin side? I mean if try to delete a model object from order app in my view, not in the admin, what will happen, and if so I want to know if it will cause any errors? thanks

Out of the box, Django permissions are not implicitly checked in your own views, you have to apply the logic yourself.
You have a few options for checking the permissions:
User.has_perm(permission)
Perms template tag
The permission_required decorator
The PermissionRequiredMixin
More information can be found here: https://docs.djangoproject.com/en/3.0/topics/auth/default/#the-permissionrequiredmixin-mixin

Related

Wagtail - is there a simple way of checking programmatically if a user has Wagtail admin access?

I would like to be able to check in my code whether a user has access to the Wagtail admin interface. I was imagining a field on the Django model like user.is_wagtail_user.
Is there an existing way to do this? Or is there something simple I can add?
Access to the Wagtail admin is controlled by the standard Django permission system, with a permission named wagtailadmin.access_admin. This can be checked with the has_perm method:
user.has_perm('wagtailadmin.access_admin')

Confusion about the django permission and group model?

For example I create permission like this:
Permission.objects.create(name='Can add',codename='can_add',content_type=1)
Now if I want to apply this permission in some view I need to use permission_required decorator like this
#permission_required('app.can_add', raise_exception=True)
def some_view(request):
...
Here I need to exactly match the permission code_name in the decorator in order to apply the permission .
But what if admin(not developer) created new permission with different codename than the codename which is used in a view? We should go manually to the code and edit the codename ? Or is there any better solutions?How can admin apply the newly created permission in the view without manually going in the code?
I am thinking it from the normal user perspective, after we gave the project to the client.How can he/she manage such things?
Note:I am not using django default admin panel
Simple answer: creating custom permissions via the admin doesn't make any sense indeed since the code won't know anything about those permissions (and the permissions don't know anything about your code either FWIW).
If your app needs custom permissions, you create them via code (ie in a migration), and deploy them together with the code that uses them. Then the admins can assign those permissions to selected users or groups as they see fit.

Django - permission_required on view level

I am looking at the built-in authentication functionality from Django for my custom app.
If I understand this right, I can assign add, change, delete rights to models.
I am looking for a solution to assign view/show rights to a user.
My basic idea is to use the permission_required decorator for this, but as stated this only works for add, change, delete and in addition it seems only to work for models. I have functions where I am using multi-objects from models.
The best would be to have something that collects my custom permission_required decorators and gives me the possibility to edit this e.g. in the Django admin UI.
E.g.
#permission_required('user.profile.view')
def myProfile(request):
...
#permission_required('user.profile.edit')
def editMyProfile(request):
...
Any idea or suggestion is welcome.
Thanks in advanced!
Creating custom permissions is well documented. Once you've created custom permissions, you'll be able to assign them to users through the usual user admin page.

How to show permissions to add or change a Django model in Group or user permission list on Admin site?

I am able to run a Django Admin site and when I login as the SuperUser I'm able to modify my model as well. This part works perfectly.
When I login as a user that is NOT a super user, the user does not see an option to modify this Model. When I logged in as a Super User and tried to give this user/group the permission to modify this model from the permission list, I couldn't find this permission in the list.
I see the following permissions:
admin|log entry|
.
.
auth|group|...
auth|message|...
auth|permission|...
content types|...
sessions|...
but nothing related to my ModelAdmin. My admin.py looks as follows:
from django.contrib import admin
from pl.models import *
class MyModelAdmin(admin.ModelAdmin):
pass
admin.site.register(MyModel, MyModelAdmin)
Can only a super-user edit models specified via ModelAdmin? What if I want to permission a group to be able to do so for select models. Any way to do this?
Thanks.
You should be able to do that. Try running python manage.py syncdb again.
If you've already run syncdb and the permissions are still not there, then you must not have your app listed in INSTALLED_APPS. Otherwise, Django would automatically create them.
Additionally, you mention "nothing related to my ModelAdmin". The permissions are created for models, not ModelAdmins. You may have just mistyped that, but if you're looking for something related to the ModelAdmin itself, that might be your problem.

Django administration view: how to remove auto generated permissions?

Django administration view automatically generates permissions for all modules and tables - admin, auth, contenttypes etc. Is it possible to remove this permissions from 'Available user permissions' so i can see only permissions that i think are relevant?
Not in an elegant manner. You would need to either override the template or go mucking in the admin code (django philosophy: "the admin is not your app").
It's best to create your own interface.