#31093: Extend permission backend with get_queryset(user, model)
------------------------------+--------------------------------------
Reporter: James Pic | Owner: nobody
Type: New feature | Status: new
Component: contrib.auth | Version: 3.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
------------------------------+--------------------------------------
Description changed by James Pic:
Old description:
> Permissions on objects are based on two mechanisms that developers have
> to implement:
>
> - filtering a queryset based on a user object and eventually a permission
> name
> - returning if a user has a permission on an object instance
>
> Currently, permission backend allows developers to implement the first
> mechanism: you can allow a specific permission on an object with the
> permission backend.
>
> This works extremely well even for complex use cases: you get an model
> object, a user, a permission name and you can return True.
>
> Exemple:
>
> {{{
> def has_perm(self, user_obj, perm, obj=None):
> if not user_obj.is_authenticated or not isinstance(obj,
> MRSRequest):
> return False
>
> return (
> user_obj.profile == 'admin'
> or obj.caisse in user_obj.caisses.all()
> )
> }}}
>
> However, permission framework does not include a the first security
> feature mentioned: getting a filtered queryset with objects a user should
> be able to see, eventually for a given permission. Such implementation
> could look like:
>
> {{{
> def filter_queryset(self, user_obj, perm, queryset=None):
> if not queryset.model == MRSRequest:
> return queryset
>
> if not user_obj.is_authenticated:
> return queryset.none()
>
> return queryset.filter(caisse__in=user_obj.caisses.all())
> }}}
>
> The admin views could use this, and django.contrib.auth could provide
> generic views extensions which do check permissions.
New description:
Permissions on objects are based on two mechanisms that developers have to
implement:
- returning if a user has a permission on an object instance
- filtering a queryset based on a user object and eventually a permission
name
Currently, permission backend allows developers to implement the first
mechanism: you can allow a specific permission on an object with the
permission backend.
This works extremely well even for complex use cases: you get an model
object, a user, a permission name and you can return True.
Exemple:
{{{
def has_perm(self, user_obj, perm, obj=None):
if not user_obj.is_authenticated or not isinstance(obj,
MRSRequest):
return False
return (
user_obj.profile == 'admin'
or obj.caisse in user_obj.caisses.all()
)
}}}
However, permission framework should also allow developers to implement
the second security mechanism: getting a filtered queryset with objects a
user should be able to see, eventually for a given permission. Such
implementation could look like:
{{{
def filter_queryset(self, user_obj, perm, queryset=None):
if not queryset.model == MRSRequest:
return queryset
if not user_obj.is_authenticated:
return queryset.none()
return queryset.filter(caisse__in=user_obj.caisses.all())
}}}
The admin views could use this, and django.contrib.auth could provide
generic views extensions which do check permissions.
--
--
Ticket URL: <https://code.djangoproject.com/ticket/31093#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/062.005292e1ac54893ae45bec3ed1bfe406%40djangoproject.com.
