id summary reporter owner description type status component version severity resolution keywords cc stage has_patch needs_docs needs_tests needs_better_patch easy ui_ux 31093 Extend permission backend with get_queryset(user, model) James Pic nobody "Permissions on objects are based on two mechanisms that developers have to implement: - returning if a user has a permission on an object instance - filtering a queryset based on a user object and eventually a permission name Currently, permission backend allows developers to implement the first mechanism: you can allow a specific permission on an object with the permission backend. This works extremely well even for complex use cases: you get an model object, a user, a permission name and you can return True. Exemple: {{{ def has_perm(self, user_obj, perm, obj=None): if not user_obj.is_authenticated or not isinstance(obj, SomeModel): return False return user_obj.is_superuser or obj.related_model_fk in user_obj.related_model_m2m.all() }}} However, permission framework should also allow developers to implement the second security mechanism: getting a filtered queryset with objects a user should be able to see, eventually for a given permission. Such implementation could look like: {{{ def filter_queryset(self, user_obj, perm, queryset=None): if not queryset.model == SomeModel: return queryset if not user_obj.is_authenticated: return queryset.none() return queryset.filter(related_model_fk__in=user_obj.related_model_m2m.all()) }}} The admin views could use this, and django.contrib.auth could provide generic views extensions which do check permissions, removing the need to share a mixin that just does return a Mixin with a get_queryset method to complement the code that they have in the permission backend. It would reduce chances to make a mistake when updating permission code if it's all at the same place, an opinion that I consider suited for a framework like Django." New feature new contrib.auth 3.0 Normal Unreviewed 0 0 0 0 0 0