Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

django - comparing django permissions and using django rules

Tags:

django

django-permissions

currently I am looking implementing access control in Django. I've read about the built-in permission, but it does not takes care per object basis. For example, I want permissions like "Only the creator can delete his own items". So I read about django-guardian. Then again, after thinking about it, it may be difficult to manage and check if constraints ever change.

I look at the next popular permission management app called django-rules. This seems to suit what I require. However, I believe django-rules requires a model instance to be involved (hence object level) i.e if I require a simple view like "member's area", it does not perform this function.

This has led me to think about using both the contrib's permission for the latter scenarios and django-rules for the former. My question here, is how easy will it be to manage both permission frameworks?. For instance, I have different groups of users. I am worried about overlapping scenarios whereby the admin added a particular permission in the admin system (to allow access to a view), thinking that should suffice but turns out to be bounded by constraints set by the rules.

I believe this is a common case and I humbly seek your advices and recommendations based on your experiences.

like image 589
goh Avatar asked Mar 08 '12 15:03

goh

People also ask

How does Django permissions work?

By default, Django automatically gives add, change, and delete permissions to all models, which allow users with the permissions to perform the associated actions via the admin site. You can define your own permissions to models and grant them to specific users.

How do I restrict permissions in Django access?

Restrict access to unauthenticated users in Django Views. To simply restrict access to a view based on if the user is authenticated (logged in) or not does not require you to dive deep into the permission system at all, you can simply do it with Decorators, Mixins or the user is_authenticated property.

Does Django administrative permission?

Permissions and Authorization. Django comes with a built-in permissions system. It provides a way to assign permissions to specific users and groups of users. It's used by the Django admin site, but you're welcome to use it in your own code.

What is Django guardian?

django-guardian is an implementation of object permissions for Django providing an extra authentication backend.

1 Answers

If you're doing this through Django admin site, you can override methods such as has_delete_permission(). These get request and object as arguments, so you can use it to set up rules like "User X can delete only his own objects".

like image 58
che Avatar answered Oct 09 '22 11:10

che
Sign in to Comment

Related questions

difference between Response and HttpResponse django
Django DateField with only month and year
Django Form Wizard and Preview with ModelForm
How can I filter these Django records?
empty_form initial value for a modelformset_factory
Django - Template tags in javascript and css files
How to tell Django not to buffer the HTTP POST data?
Thread Safety with Template Tags

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!