Code

Opened 5 years ago

Closed 4 years ago

Last modified 3 years ago

#11010 closed (fixed)

Add a foundation for rowlevel permissions in Django

Reported by: apollo13 Owned by: jezdez
Component: contrib.auth Version: master
Severity: Keywords:
Cc: jezdez, contact@…, vinilios@…, apollo13, nabucosound, alexkoshelev, mpjung@… Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

Many sites would like to use rowlevel permissions, but it's not that easy to do that with Django currently. The minimal requirement would be to add that support to the usermodel and the auth backends. This would enable us to write our own rowlevel implementations easily.

I added a patch, where the only relevant change is that the backends need to support obj as last parameter; I don't like the idea of making that optional as I prefer it consistent. Although if you prefer another option, just tell me, this patch (although working) is more or less a concept of what's needed to be done.

Attachments (3)

rowlevel_permissions-r10674.diff (8.2 KB) - added by apollo13 5 years ago.
rowlevel_perms@12123_#11010.diff (16.6 KB) - added by apollo13 4 years ago.
object_permissions_r11712_#11010.diff (12.8 KB) - added by apollo13 4 years ago.

Download all attachments as: .zip

Change History (26)

Changed 5 years ago by apollo13

comment:1 Changed 5 years ago by SmileyChris

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Design decision needed

comment:2 Changed 5 years ago by guettli

  • Cc hv@… added

comment:3 Changed 5 years ago by jezdez

  • Cc jezdez added
  • Has patch set
  • Needs tests set

comment:4 Changed 5 years ago by jezdez

  • Needs documentation set
  • Patch needs improvement set
  • Triage Stage changed from Design decision needed to Accepted

Setting to accepted after talking to jacobian and apollo13 in #django-dev.

comment:5 follow-up: Changed 5 years ago by contact@…

I made my own row level permission system based on this patch. It's still in a very early stage, but if needed I can share my findings.

comment:6 Changed 4 years ago by anonymous

  • Cc contact@… added

comment:7 Changed 4 years ago by anonymous

  • Cc vinilios@… added

comment:8 in reply to: ↑ 5 Changed 4 years ago by apollo13

Replying to contact@roelkramer.nl:

I made my own row level permission system based on this patch. It's still in a very early stage, but if needed I can share my findings.

Hi, I am working on this patch for 1.2 and it would be nice if you could share your backend; maybe we find something else to include or improve…

comment:9 Changed 4 years ago by apollo13

  • Owner changed from nobody to apollo13

comment:10 Changed 4 years ago by apollo13

  • Cc apollo13 added

comment:11 Changed 4 years ago by nabucosound

  • Cc nabucosound added

Changed 4 years ago by apollo13

comment:12 Changed 4 years ago by apollo13

Updated the patch after talking to jacob on irc, the deprecation ploicy is described too. Also moved tests from doctest to unittest

comment:13 Changed 4 years ago by alexkoshelev

  • Cc alexkoshelev added

comment:14 Changed 4 years ago by Michael P. Jung

  • Cc mpjung@… added

Changed 4 years ago by apollo13

comment:15 Changed 4 years ago by apollo13

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

nearing „ready for checkin“ after talking to jacob again I guess ;)

comment:16 Changed 4 years ago by jacob

  • Owner changed from apollo13 to jacob
  • Status changed from new to assigned
  • Triage Stage changed from Accepted to Ready for checkin

comment:17 Changed 4 years ago by xonatius

What about anonymous user? It still return False on has_perm?

comment:18 Changed 4 years ago by jezdez

  • Owner changed from jacob to jezdez
  • Status changed from assigned to new

Taking this ticket in preparation for sprint.

comment:19 Changed 4 years ago by jezdez

  • Resolution set to fixed
  • Status changed from new to closed

(In [11807]) Fixed #11010 - Add a foundation for object permissions to authentication backends. Thanks to Florian Apolloner for writing the initial patch.

comment:20 Changed 4 years ago by orokusaki

Will this be what's needed for security only (ie, block people without permissions to see some object), or will it help people who are developing SAAS with an Account model who have been going SomeModel.objects.filter(account=request.account)? Or, will this only work with the built in Auth system?

comment:21 Changed 4 years ago by apollo13

This ticket is closed and trac isn't for discussion, plz redirect your question to the appropriate mailing list

comment:22 Changed 3 years ago by guettli

  • Cc hv@… removed

comment:23 Changed 3 years ago by jacob

  • milestone 1.2 deleted

Milestone 1.2 deleted

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.