I quote from the documentation:
"Permissions can be set not only per type of object, but also per specific object instance. By using the has_add_permission(), has_change_permission() and has_delete_permission() methods provided by the ModelAdmin class, it is possible to customize permissions for different object instances of the same type."
https://docs.djangoproject.com/en/1.5/topics/auth/default/
I can't find any info about how to set this up. I want users to only be able to change instances of a model which they are attached to, not all instances of that model.
That refers to the Django admin. Here's how you define an admin model:
https://docs.djangoproject.com/en/1.5/ref/contrib/admin/#django.contrib.admin.ModelAdmin
And here's how you define permissions:
https://docs.djangoproject.com/en/1.5/ref/contrib/admin/#django.contrib.admin.ModelAdmin.has_add_permission
(I asssumed you're using Django 1.5, and not the latest, 1.6.2)
Related
I created a Custom User Model by basically copying and pasting the full example given in the Django Docs. But in the docs, they unregistered groups. But in my project I will need groups because I'll have different uper types. So how can I still have groups and add my custom users to them?
Try using a customGroup class extending the Group class, or a custom group class from scratch according to requirements
I am having some struggles how does exactly django.admin.LogEntry objects are created.
Consider the following scenario:
I have a bunch of functions which take a csv file with data that allow me to create multiple objects at one call (just iterate through the file, use the data and if data in given row is correct: create a Model instance). I want to make sure that that each of that creation will be logged.
The question is: django docs are not very descriptive on how does LogEntry works and I am not sure if such actions (not taken in the admin panel itself) will be logged there. Also: will the LogEntries be created for the related objects or I have to trigger them manually?
Does anybody got any experience with such scenarios and can share thoughts about it?
The LogEntry model is in the Admin package and only used by Django admin by default. It is used in the admin layer and not model layer when saving objects. if you want to use it outside the admin, then you will have to manually create the entries yourself. That also means the admin will likely display entries of changes made by normal users so you have to think about how you want the entries displayed
I'm working on some Django Rest Framework based project (quite expected API for some web-app). It has as traditional Django models, and some kind of model-like objects: they behave like Django models but don't store anything in DB. No tables, no content-types. When we ask them for objects, they goes to external API and forms resulting Queryset.
Now I need to build some role-based access system. To make the architecture clear and extensible, I want to make groups and permissions managable through the Django Admin interface. So, I guess, we need to put some permissions to DB and then we'll be able to add these permissions to user groups. After that, we'll check these permissions in DRF.permissions class. But since we have neither tables, nor content-types for these 'models', we can't add records to permissions table right now.
What is the right way to make this possible? Should I rebuild these 'models' through the metaclass with proxy = True? Or should I add a proxy layer above? Maybe I should add some dummy content-types by hand?
Is there is best practice to forbid access to other user's objects in django? Let's say i can access to object by PK in path (some/path/to/object/PK/edit). What best way to forbid access User1 to User2 objects by pk in path?
I usually create a #owner_required decorator to wrap elements with such requirements, how the logic works depends on usecase
You should have an association in your user model, and then in you controllers you should do all object access through your user model associations, so each user can only access each own childs. Here is a related post How to create new (unsaved) Django model with associations?
If you need more granular security than what Django provides out-of-the-box then you might want to look into one of the ACL offerings. Starting with Django 1.2 it is possible to add object/row level permissions using a third-party plugin. There are several to choose from. See this SO question for suggestions:
Django 1.2 object level permissions - third party solutions?
I'm creating CMS and now facing some issue I need your advice. I have few different modules (apps) I can define custom permission to them - in model i define custom permissions like "view_store", "edit_store", "delete_store" and so on. And then I have defined different user groups (I want to have group based user access control) - admin, editor, vip, user.
I'm creating these groups when running one time command to initialize CMS (manage.py initcms) and I want of course all the right permissions will be added to the group in the same time.
initcms action is running after the syncdb, so all the models are in DB (info about permissions also of course).
I have something in my mind... If this is good way to go or you have the better one? Let me describe mine: I want to give for example for vip user all the permission from all the models (which have this permission defined) to "view_*". It means vip can view everything. I have an idea when initializing database just grab all entries (all permissions) which fits pattern "LIKE view_%" and then add these all to group's permissions.
But then the problem if the new module will be added... I need to re-run this action and check if all the permissions are right... Maybe there is some dynamic way to deal with group permissions?
One possible solution is to use Django Signals, which can be triggered before or after a model's save mothod has been called or after or before any M2M action takes places, after syncdb etc... You may select a proper signal that fits you best and then call a function that checks related permissions and add or remove any if necessary...