I have a model class Project and for each model instance, there should be a 'group' of users who may edit that instance. I guess I could add another model class called ProjectEditor to add those editors. Is there a better way of implementing this? What about checking for permissions? I would need to write my own permission method then too, right?
Thanks
Eric
Django Guardian seems to be the best solution today for Model instance level permissions.
Model (table) level permissions can be achieved using the groups facility provided by Django auth. Groups let you create custom permissions at a model level. Instance (row) level would be trickier. You would most likely have to write a custom mechanism to accomplish this.
Here is a Django Snippet that might give you some ideas.
There was an open source release for row/object level permissions by the washington times team that might be of use:
Django Object Permissions Proof of Concept
Related
For example I create permission like this:
Permission.objects.create(name='Can add',codename='can_add',content_type=1)
Now if I want to apply this permission in some view I need to use permission_required decorator like this
#permission_required('app.can_add', raise_exception=True)
def some_view(request):
...
Here I need to exactly match the permission code_name in the decorator in order to apply the permission .
But what if admin(not developer) created new permission with different codename than the codename which is used in a view? We should go manually to the code and edit the codename ? Or is there any better solutions?How can admin apply the newly created permission in the view without manually going in the code?
I am thinking it from the normal user perspective, after we gave the project to the client.How can he/she manage such things?
Note:I am not using django default admin panel
Simple answer: creating custom permissions via the admin doesn't make any sense indeed since the code won't know anything about those permissions (and the permissions don't know anything about your code either FWIW).
If your app needs custom permissions, you create them via code (ie in a migration), and deploy them together with the code that uses them. Then the admins can assign those permissions to selected users or groups as they see fit.
I'm working on some Django Rest Framework based project (quite expected API for some web-app). It has as traditional Django models, and some kind of model-like objects: they behave like Django models but don't store anything in DB. No tables, no content-types. When we ask them for objects, they goes to external API and forms resulting Queryset.
Now I need to build some role-based access system. To make the architecture clear and extensible, I want to make groups and permissions managable through the Django Admin interface. So, I guess, we need to put some permissions to DB and then we'll be able to add these permissions to user groups. After that, we'll check these permissions in DRF.permissions class. But since we have neither tables, nor content-types for these 'models', we can't add records to permissions table right now.
What is the right way to make this possible? Should I rebuild these 'models' through the metaclass with proxy = True? Or should I add a proxy layer above? Maybe I should add some dummy content-types by hand?
I have two models: Domain and Record. Many records link to a domain. The domains and records have their owners. I want to disallow users to create records in domains that they don't own. However they should be able to edit records if someone else (a superuser e.g.) created them and set owner to that specific user (even if they don't own a domain). This should work both for admin site and for API (rest_framework)
My question is - what is the simplest way to achieve this goal? Is there some django plugin that handles permissions for linking? Can I use model validators here (if so - how to distinguish if a new object is created)?
The problem here is that the Django Rest Framework and Django itself (via admin) are interacting only at the level of the models. In order to achieve your goal I would implement the following design:
Make the models aware of their owners and users. For that I would use django-audit-log.
Overwrite the default model Manager and build your logic in the create method, where I will query the user's attributes and throw appropriate exceptions.
Such a design shifts some of the business logic from the controller to the data model - there are some debates out there about the benefits and pitfalls of such an approach. But with the underlined constraints (Django admin and API) is the only common place where you could put it.
Is this what you are aiming for ?
Is there is best practice to forbid access to other user's objects in django? Let's say i can access to object by PK in path (some/path/to/object/PK/edit). What best way to forbid access User1 to User2 objects by pk in path?
I usually create a #owner_required decorator to wrap elements with such requirements, how the logic works depends on usecase
You should have an association in your user model, and then in you controllers you should do all object access through your user model associations, so each user can only access each own childs. Here is a related post How to create new (unsaved) Django model with associations?
If you need more granular security than what Django provides out-of-the-box then you might want to look into one of the ACL offerings. Starting with Django 1.2 it is possible to add object/row level permissions using a third-party plugin. There are several to choose from. See this SO question for suggestions:
Django 1.2 object level permissions - third party solutions?
I'm creating CMS and now facing some issue I need your advice. I have few different modules (apps) I can define custom permission to them - in model i define custom permissions like "view_store", "edit_store", "delete_store" and so on. And then I have defined different user groups (I want to have group based user access control) - admin, editor, vip, user.
I'm creating these groups when running one time command to initialize CMS (manage.py initcms) and I want of course all the right permissions will be added to the group in the same time.
initcms action is running after the syncdb, so all the models are in DB (info about permissions also of course).
I have something in my mind... If this is good way to go or you have the better one? Let me describe mine: I want to give for example for vip user all the permission from all the models (which have this permission defined) to "view_*". It means vip can view everything. I have an idea when initializing database just grab all entries (all permissions) which fits pattern "LIKE view_%" and then add these all to group's permissions.
But then the problem if the new module will be added... I need to re-run this action and check if all the permissions are right... Maybe there is some dynamic way to deal with group permissions?
One possible solution is to use Django Signals, which can be triggered before or after a model's save mothod has been called or after or before any M2M action takes places, after syncdb etc... You may select a proper signal that fits you best and then call a function that checks related permissions and add or remove any if necessary...