Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to handle per object permission in Django nowadays?

I was about to use django-guardian until I came across the following in the official documentation:

https://docs.djangoproject.com/en/stable/topics/auth/customizing/#handling-authorization-in-custom-backends

Permissions can be set not only per type of object, but also per specific object instance. By using the has_add_permission(), has_change_permission() and has_delete_permission() methods provided by the ModelAdmin class, it is possible to customize permissions for different object instances of the same type.

Does that mean django-guardian is no longer needed with newer versions of Django?

Please clarify.

like image 821
Adam Silver Avatar asked Oct 15 '15 01:10

Adam Silver


People also ask

What are object level permissions Django?

Object Permissions allow you to assign a permission to an instance of any Model in your django project. This app provides a authentication backend that works with Django >= 1.2. This specific implementation includes the ability to assign permissions to Users and UserGroups.

How do I set permissions in Django?

With Django, you can create groups to class users and assign permissions to each group so when creating users, you can just assign the user to a group and, in turn, the user has all the permissions from that group. To create a group, you need the Group model from django. contrib. auth.

How does permission work in Django?

By default, Django automatically gives add, change, and delete permissions to all models, which allow users with the permissions to perform the associated actions via the admin site. You can define your own permissions to models and grant them to specific users.

How do I get user permissions in Django?

If you are using Django 3.0+, user. get_user_permissions() gives the codename of all the permissions.


1 Answers

Indeed, while reading the docs, I got excited that Django would cater for "per object permissions checking" out of the box, especially in the admin, and that it would be a matter of time to understand how I could activate it.

However, this does not seem to always be the case.

Django undoubtedly strives to provide the grounds (API) for such an implementation, but this implementation sometimes needs good coding skills and Django understanding.

It is the developer who will get these tools together by creating the app that suits its needs. This could be either easy or ... not so easy!

This contradicting information forms the base for my web crawling which focuses on finding a solution to the "per-object permissions" issue, somehow ... effectively for my project's needs or scale and of course my own coding skills and Django understanding up to now.

Django-guardian seems to be the most robust, full-fledged, full-blown application for this purpose, and it also has a 3 years old open issue regarding its admin integration.

There are also other more lightweight django applications that address specific needs which are production-stable, as well.

While trying to make ends meet in this somehow tricky quest, I am leaning towards using django-rules for its simple and focused on my needs functioning.

like image 134
raratiru Avatar answered Sep 20 '22 22:09

raratiru