Menu
I understand the basic user authentication, login, creating accounts, extending user model...
I am trying to create a site where teachers and students can login. Teachers would have access to pages students cannot access with rights to post homeworks ect...
I think it is possible to do this with:
.
@login_required
@user_passes_test(not_in_student_group, login_url='/login/')
def some_view(request):
# ...
def not_in_student_group(user):
if user:
return user.groups.filter(name='Student').count() == 0
return False
note I got the above code from:
http://bradmontgomery.blogspot.com/2009/04/restricting-access-by-group-in-django.html
Question:
How does using permission differ from the above approach?
How can permissions be used, and how does defining permission help me achieve the above results? (If it is possible to do so, should it be used?)
963
With Django, you can create groups to class users and assign permissions to each group so when creating users, you can just assign the user to a group and, in turn, the user has all the permissions from that group. To create a group, you need the Group model from django. contrib. auth.
Groups: Way of Categorizing Users You can assign permissions and users to these groups. Django provides a basic view in the admin to create these groups and manage the permissions. The group denotes the “role” of the user in the system. As an “admin”, you may belong to a group called “admin”.
By default, Django automatically gives add, change, and delete permissions to all models, which allow users with the permissions to perform the associated actions via the admin site. You can define your own permissions to models and grant them to specific users.
It seems there are a hundred ways that people get to the same results in Django regarding authorization and permissions. Groups are one way, definitely.
Django permissions are usually based on your data, so "table based", or "row based". Row based permissions are not native to Django, you have to either roll your own solution, or use something like django-guardian or django-authority More Here.
The docs on permissions are here
class Quiz(models.Model):
title = models.CharField(max_length=64)
class Meta:
permissions = (
("can_take_quiz", "Can take quiz"),
("can_grade_quiz", "Can Grade Quiz"),
)
With this model, and these permissions, you could see that possibly a student aide would be given permission to grade a particular quiz, or a quiz for a given teacher, this is where row-based permissions would be useful. Implementing something like that (via has_permission) can solve a problem (and is more explicit) than just adding a user to a group.
You can add users to groups like you have already, and then give that entire group permissions to add a quiz, or grade quizes (teachers can add/edit/delete/grade, students can take) quizes, and check based on that.
then your user_passes_test would be user.has_perm('quiz.take_quiz') or instead of a decorator, you could pass the specific quiz to your object based backend.
123
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
