row level permissions with django-guardian - no effect on admin interface observed

Question

I have added row level permissions with django-guardian to my project.

From the set-up it seems everything worked fine:

• Guardian specific tables have been created (guardian_groupobjectpermission, guardian_userobjectpermission)
• Models with GuardedModelAdmin show the "Object permissions" feature next to "History"
• It lets me assign "Add", "Change", "Delete" permissions for users/groups

But assigning (resp. not assigning) permissions shows no impact at all on the admin interface. Every user is allowed to do everything with all objects.

I have tried with

user_can_access_owned_objects_only = True

but this only affects the ability to view objects. Once a user sees it, he can also change and delete it. Regardless what is set in the permissions.

And I followed another discussion suggesting this in the ModelAdmin

def queryset(self, request):
    if request.user.is_superuser:
        return get_objects_for_user(user=request.user, perms=['change_program'], klass=Program) 

But this has a similar effect as above, it only limits the visible items.

I would have hoped to see the admin "save" and "delete" buttons (and functions) listening to django-guardian. Is this a misunderstanding? Or did I simply not walk down the entire road yet?

Thanks for any hint! R

Answer 1

Guardian allows you to create your own permissions to assign to user/object combinations, but limiting access to resources based on those object permissions still requires you to write code in your views. As such, there is no automatic enforcing within the Admin views. The admin integration is for allowing users with access to the admin interface to manage object-level permissions, see the guardian docs:

http://django-guardian.readthedocs.org/en/latest/userguide/admin-integration.html