Menu
Background
I'm developing a django app for a vacation rental site. It will have two types of users, renters and property managers.
I'd like the property managers to be able to manage their rental properties in the django admin. However, they should only be able to manage their own properties.
I realize the default django admin doesn't support this. I'm wondering how much trouble it would be to add this functionality, and, if it's feasible, what the best way to handle it is.
Goal
Ideally, I picture it working something like this:
auth already allows permissions like this:
vacation | rental | Can add rental vacation | rental | Can change rental vacation | rental | Can delete rental
I'd like to change this to something like:
vacation | rental | Can add any rental vacation | rental | Can change any rental vacation | rental | Can delete any rental vacation | rental | Can add own rental vacation | rental | Can change own rental vacation | rental | Can delete own rental
Possible solution
How would the framework decide if the rental (or whatever) belongs to the user? I'm thinking it checks the vacation.Rental class to see if it has a ForeignKey to auth.User (possibly having some particular name, like 'owner').
On creating a new vacation.Rental, the value of the ForeignKey field would be forced to the current user's id. The ForeignKey field would not be displayed on the form.
On listing rentals, only rentals with the ForeignKey matching the current user would be displayed.
On changing rentals, only rentals with the ForeignKey matching the current user would be displayed. The ForeignKey field would not be displayed on the form.
Of course, this should be able to work for any model having an appropriate ForeignKey field, not just our vacation.Rental model.
Does this sound feasible so far, or should I be going in a different direction?
Complications
Now, here's the tricky part; I'm not sure how to handle this. Let's say a Rental can have many "RentalPhotos." RentalPhoto has a ForeignKey to Rental. Users should be able to add photos to their own rentals. However, the photos don't have a user ForeignKey, so there's no way to directly find out who owns the photo.
Can this be solved by some trickery in the framework, following ForeignKeys until an object is found with a ForeignKey to user? Or should I take the easy way out and give RentalPhoto (and everything else 'belonging' to Rental) its own ForeignKey to the appropriateauth.User? The second approach would invite unneeded redundancy, the first would probably require unnecessary processing overhead...
If I'm going entirely astray please don't hesitate to point me in the right direction. Thanks in advance for any help.
201
Django admin allows access to users marked as is_staff=True . To disable a user from being able to access the admin, you should set is_staff=False . This holds true even if the user is a superuser. is_superuser=True .
Add Permissions to a Group YourClassName' . This way, you are telling Django to use our custom user model instead of the default one. The code below should go in your admin.py file so that you can see your user model. You will see that you can select various permissions and attach them to a particular group.
Object level permissions are used to determine if a user should be allowed to act on a particular object, which will typically be a model instance.
I would simply add a method to each model is_owned_by(user), and it is upto the model to decide if it is owned by that user or not. In most case is_owned_by can be a generic function in a base model class and you can tweak it in special cases. e.g.
class RentalPhoto(BaseModel):
def is_owned_by(self, user):
return self.rental.is_owned_by(user)
This is generic enough and being explicit you will have full control how things behave.
To add new permission you can add that to your models e.g.
class Rental(models.Model):
# ...
class Meta:
permissions = (
("can_edit_any", "Can edit any rentals"),
)
I think instead of adding two permission for any and own, you should add only own permission , so each object already has can_edit which you can treat as user can edit only his object, and if user has permission can_edit_any than only he is allowed to edit all
Using this we can extend auth by adding a custom backend e.g.
class PerObjectBackend(ModelBackend):
def has_perm(self, user_obj, perm, obj=None):
allowed = ModelBackend.has_perm(self, user_obj, perm)
if perm.find('any') >=0 :
return allowed
if perm.find('edit') >=0 or perm.find('delete') >=0:
if obj is None:
raise Exception("Perm '%s' needs an object"%perm)
if not obj.is_owned_by(user_obj):
return False
return allowed
This is a very quick implemenation, in reality you can extend permission objects to check if it needs and object or not e.g. permission.is_per_object instead of doing crude string search but that should also work if you have standard names
181
If you don't want to implement your own Permission Backend, I recommend you to use https://github.com/chrisglass/django-rulez You will do what you want in a much easier way.
40
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
