Opened 5 years ago
Last modified 5 years ago
#31093 closed New feature
Extend permission backend with get_queryset(user, model) — at Initial Version
Reported by: | James Pic | Owned by: | nobody |
---|---|---|---|
Component: | contrib.auth | Version: | dev |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Unreviewed | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
Permissions on objects are based on two mechanisms that developers have to implement:
- filtering a queryset based on a user object and eventually a permission name
- returning if a user has a permission on an object instance
Currently, permission backend allows developers to implement the first mechanism: you can allow a specific permission on an object with the permission backend.
This works extremely well even for complex use cases: you get an model object, a user, a permission name and you can return True.
Exemple:
def has_perm(self, user_obj, perm, obj=None): if not user_obj.is_authenticated or not isinstance(obj, MRSRequest): return False return ( user_obj.profile == 'admin' or obj.caisse in user_obj.caisses.all() )
However, permission framework does not include a the first security feature mentioned: getting a filtered queryset with objects a user should be able to see, eventually for a given permission. Such implementation could look like:
def filter_queryset(self, user_obj, perm, queryset=None): if not queryset.model == MRSRequest: return queryset if not user_obj.is_authenticated: return queryset.none() return queryset.filter(caisse__in=user_obj.caisses.all())
The admin views could use this, and django.contrib.auth could provide generic views extensions which do check permissions.