Re: Object level permissions implementation
That's something I had in mind also. And I think that is quite a best thing to do. 6.2.2013 18:09, bobhaugen kirjoitti: I'm not sure this is the best way to do it, but for what I think is a similar situation, I created a template tag and a model instance method. The template tag asks the model instance method whether the user has permission. Here's the template tag: https://github.com/bhaugen/localecon/blob/master/clusters/templatetags/permissions.py Here's the instance method: https://github.com/bhaugen/localecon/blob/master/clusters/models.py#L176 -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out. -- Jani Tiainen - Well planned is half done and a half done has been sufficient before... -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: Object level permissions implementation
I'm not sure this is the best way to do it, but for what I think is a similar situation, I created a template tag and a model instance method. The template tag asks the model instance method whether the user has permission. Here's the template tag: https://github.com/bhaugen/localecon/blob/master/clusters/templatetags/permissions.py Here's the instance method: https://github.com/bhaugen/localecon/blob/master/clusters/models.py#L176 -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: Object level permissions implementation
Actually I had slightly incorrect term: I need _field_ (column) level permissions, not object (row) level permissions. 6.2.2013 8:36, Jani Tiainen kirjoitti: No it's not, it's more like enhancement to standard Django permissions that works with predefined "named" permissions. But I need to actually look data of instance and using that to check does user have permission to access instance. Let's make this slightly simpler: I have a plan model: class Plan(models.Model): name = models.TextField(max_length=200) and I've Entity model: class Entity(models.Model): name = models.TextField(max_length=200, unique=True) plan = models.ForeignKey(Plan, null=True, blank=True) is_public = models.BooleanField(default=True) location = models.PolygonField(srid=4326) now I have user A that has access to entities belonging to plans named "foo" and "bar" that are inside user working area (location is within some polygon) and all entities that are marked as public. So I need to construct query that is something like this to get queryset containing only objects that user has permission to: Entity.objects.filter( Q(Q(plan__name__in=user.allowed_plans.all() & Q(location__within=user.working_area)) | Q(is_public=True) ) It would be simple if all attributes would be on model only but some of my real models are really complex and needs to go quite deep in the relations to find out does user has access to object or not. That's why I would actually use standard django authorization mechanism and there always delegate checking to model instance that can tell does user have permission or not to access this object. 5.2.2013 21:00, Nikolas Stevenson-Molnar kirjoitti: If I understand correctly, that's exactly what it's for: https://code.osuosl.org/projects/object-permissions/wiki/Using#Checking-Perms _Nik On 2/4/2013 10:17 PM, Jani Tiainen wrote: Afaik object-permission works reverse what I need - it adds spesific permissions to groups/users to single object. But I need to check (mostly through foreign keys and/or spatial relation) does user has permission to see that data or not. -- Jani Tiainen - Well planned is half done and a half done has been sufficient before... -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: Object level permissions implementation
No it's not, it's more like enhancement to standard Django permissions that works with predefined "named" permissions. But I need to actually look data of instance and using that to check does user have permission to access instance. Let's make this slightly simpler: I have a plan model: class Plan(models.Model): name = models.TextField(max_length=200) and I've Entity model: class Entity(models.Model): name = models.TextField(max_length=200, unique=True) plan = models.ForeignKey(Plan, null=True, blank=True) is_public = models.BooleanField(default=True) location = models.PolygonField(srid=4326) now I have user A that has access to entities belonging to plans named "foo" and "bar" that are inside user working area (location is within some polygon) and all entities that are marked as public. So I need to construct query that is something like this to get queryset containing only objects that user has permission to: Entity.objects.filter( Q(Q(plan__name__in=user.allowed_plans.all() & Q(location__within=user.working_area)) | Q(is_public=True) ) It would be simple if all attributes would be on model only but some of my real models are really complex and needs to go quite deep in the relations to find out does user has access to object or not. That's why I would actually use standard django authorization mechanism and there always delegate checking to model instance that can tell does user have permission or not to access this object. 5.2.2013 21:00, Nikolas Stevenson-Molnar kirjoitti: If I understand correctly, that's exactly what it's for: https://code.osuosl.org/projects/object-permissions/wiki/Using#Checking-Perms _Nik On 2/4/2013 10:17 PM, Jani Tiainen wrote: Afaik object-permission works reverse what I need - it adds spesific permissions to groups/users to single object. But I need to check (mostly through foreign keys and/or spatial relation) does user has permission to see that data or not. -- Jani Tiainen - Well planned is half done and a half done has been sufficient before... -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: Object level permissions implementation
If I understand correctly, that's exactly what it's for: https://code.osuosl.org/projects/object-permissions/wiki/Using#Checking-Perms _Nik On 2/4/2013 10:17 PM, Jani Tiainen wrote: > Afaik object-permission works reverse what I need - it adds spesific > permissions to groups/users to single object. But I need to check > (mostly through foreign keys and/or spatial relation) does user has > permission to see that data or not. -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: Object level permissions implementation
Yes, I've (a long time ago though so package may be much better now) but it doesn't give exactly what I need. Afaik object-permission works reverse what I need - it adds spesific permissions to groups/users to single object. But I need to check (mostly through foreign keys and/or spatial relation) does user has permission to see that data or not. And my bad, I forgot to add Key fk lock nulls true. So datamodel is like this: Building contains zero or more Apartments. Door can belong to building or apartment. Lock belongs to door. Key belongs to owner and may belong to specific lock. So that in mind I need to restrict data fetching according to rules like: User X has access (key type 'PUBLIC') to locks in buildings starting with letter 'A' and only doors of types 'CARAGE' or 'ENTRANCE'. 5.2.2013 5:53, Nikolas Stevenson-Molnar kirjoitti: Have you had a look at this 3rd-party package? http://pypi.python.org/pypi/django-object-permissions _Nik On 2/4/2013 4:59 AM, Jani Tiainen wrote: Hi all, I've in need of implementing (rather complex) object level permissions. I've difficulties to determine how to proceed. Let's assume that I've following models: class Building(...): name = models.TextField(max_length=100) class Apartment(...): name = models.TextField(max_length=100) building = models.ForeignKey(Building) class Door(...): DOOR_TYPES = (('CARAGE', 'Carage'), ('ENTRANCE', 'Entrance'), ('PRIVATE', 'Private')) door_type = models.TextField(max_length=100, choices=DOOR_TYPES) name = models.TextField(max_length=100) building = models.ForeignKey(Building) apartment = models.ForeignKey(Apartment, null=True, blank=True) class Lock(...): door = models.ForeignKey(Door) class Key(...): KEY_TYPES = (('ALL_ACCESS', 'All access'), ('PRIVATE', 'Private'), ('PUBLIC', 'Public')) key_type = models.TextField(max_length=100, choices=KEY_TYPES) owner = models.ForeignKey(User) lock = models.ForeignKey(Lock) Now each user will have access to doors according their key: Also user may have limited "public" key that allows access to public places like CARAGE or ENTRANCE door. Or like postman would have access to Entrance door only but not to carage nor private doors (apartments). So far I've figured out following ways to do what I'm looking for: 1) I could implement all rules to authentication backend. 2) Delegate actual permission checking to models. 3) Something else and better. -- Jani Tiainen - Well planned is half done and a half done has been sufficient before... -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: Object level permissions implementation
Have you had a look at this 3rd-party package? http://pypi.python.org/pypi/django-object-permissions _Nik On 2/4/2013 4:59 AM, Jani Tiainen wrote: > Hi all, > > I've in need of implementing (rather complex) object level permissions. > > I've difficulties to determine how to proceed. > > Let's assume that I've following models: > > class Building(...): > name = models.TextField(max_length=100) > > class Apartment(...): > name = models.TextField(max_length=100) > building = models.ForeignKey(Building) > > class Door(...): > DOOR_TYPES = > (('CARAGE', 'Carage'), > ('ENTRANCE', 'Entrance'), > ('PRIVATE', 'Private')) > > door_type = models.TextField(max_length=100, choices=DOOR_TYPES) > name = models.TextField(max_length=100) > building = models.ForeignKey(Building) > apartment = models.ForeignKey(Apartment, null=True, blank=True) > > class Lock(...): > door = models.ForeignKey(Door) > > class Key(...): > KEY_TYPES = > (('ALL_ACCESS', 'All access'), > ('PRIVATE', 'Private'), > ('PUBLIC', 'Public')) > > key_type = models.TextField(max_length=100, choices=KEY_TYPES) > owner = models.ForeignKey(User) > lock = models.ForeignKey(Lock) > > > Now each user will have access to doors according their key: > Also user may have limited "public" key that allows access to public > places like CARAGE or ENTRANCE door. > > Or like postman would have access to Entrance door only but not to > carage nor private doors (apartments). > > So far I've figured out following ways to do what I'm looking for: > 1) I could implement all rules to authentication backend. > 2) Delegate actual permission checking to models. > 3) Something else and better. > -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Object level permissions implementation
Hi all, I've in need of implementing (rather complex) object level permissions. I've difficulties to determine how to proceed. Let's assume that I've following models: class Building(...): name = models.TextField(max_length=100) class Apartment(...): name = models.TextField(max_length=100) building = models.ForeignKey(Building) class Door(...): DOOR_TYPES = (('CARAGE', 'Carage'), ('ENTRANCE', 'Entrance'), ('PRIVATE', 'Private')) door_type = models.TextField(max_length=100, choices=DOOR_TYPES) name = models.TextField(max_length=100) building = models.ForeignKey(Building) apartment = models.ForeignKey(Apartment, null=True, blank=True) class Lock(...): door = models.ForeignKey(Door) class Key(...): KEY_TYPES = (('ALL_ACCESS', 'All access'), ('PRIVATE', 'Private'), ('PUBLIC', 'Public')) key_type = models.TextField(max_length=100, choices=KEY_TYPES) owner = models.ForeignKey(User) lock = models.ForeignKey(Lock) Now each user will have access to doors according their key: Also user may have limited "public" key that allows access to public places like CARAGE or ENTRANCE door. Or like postman would have access to Entrance door only but not to carage nor private doors (apartments). So far I've figured out following ways to do what I'm looking for: 1) I could implement all rules to authentication backend. 2) Delegate actual permission checking to models. 3) Something else and better. -- Jani Tiainen - Well planned is half done and a half done has been sufficient before... -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.