Menu
I'm using django-guardian in order to manage per object permission.
For a given user I give permission all permission on one object:
joe = User.objects.get(username="joe")
mytask = Task.objects.get(pk=1)
assign('add_task', joe, mytask)
assign('change_task', joe, mytask)
assign('delete_task', joe, mytask)
and I get, as expected:
In [57]: joe.has_perm("add_task", mytask)
Out[57]: True
In [58]: joe.has_perm("change_task", mytask)
Out[58]: True
In [59]: joe.has_perm("delete_task", mytask)
Out[59]: True
In admin.py I also make TaskAdmin inherit from GuardedModelAdmin instead of admin.ModelAdmin
Now when I connect to my site with joe, on the admin I get:
You don't have permission to edit anything
Am I not supposed to be able to edit the object mytask?
Do I have to set some permissions using the built-in model-based permission system?
Am I missing anything?
EDIT
I tried to add the option user_can_access_owned_objects_only, which is supposed to deal with my issue, but I still can't see anything in my admin...
class TaskAdmin(GuardedModelAdmin):
user_can_access_owned_objects_only = True
pass
admin.site.register(Task, TaskAdmin)
Thank you
472
Test the 'view' permission is added to all modelsUsing #3 for Django 1.7 only creates the permission objects if the model doesn't already exist. Is there a way to create a migration (or something else) to create the permission objects for existing models?
Permissions and Authorization. Django comes with a built-in permissions system. It provides a way to assign permissions to specific users and groups of users. It's used by the Django admin site, but you're welcome to use it in your own code.
You can find this comment on has_perm method of User model in django sources: Returns True if the user has the specified permission. This method queries all available auth backends, but returns immediately if any backend returns True.
With Django, you can create groups to class users and assign permissions to each group so when creating users, you can just assign the user to a group and, in turn, the user has all the permissions from that group. To create a group, you need the Group model from django. contrib. auth.
In order to only see the instances owned by the current user, I give him all permission
add_task=Permission.objects.get(codename="add_task")
change_task=Permission.objects.get(codename="change_task")
delete_task=Permission.objects.get(codename="delete_task")
joe.user_permissions.add(add_task)
joe.user_permissions.add(change_task)
joe.user_permissions.add(delete_task)
then I set the permission on a few instances using guardian.shortcuts.assign, and I filter the queryset in the admin:
class TaskAdmin(admin.ModelAdmin):
def queryset(self, request):
if request.user.is_superuser:
return super(TaskAdmin, self).queryset(request)
return get_objects_for_user(user=request.user, perms=['add_task', 'change_task', 'delete_task'], klass=Task)
It's far from perfect, but I can't find any other solution.
85
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With