Version 39 (modified by 15 years ago) ( diff ) | ,
---|
A couple years ago, a branch in Django's repository was created to explore implementing finer-grained permissions (at the level of individual objects, rather than at the level of model classes). That branch is long since dead; it has not seen a commit in over two years, and likely will never be updated or integrated into Django in any meaningful way.
If you need finer-grained permissions in your own applications, it should be noted that Django's administrative application supports this, via the following methods which can be overridden on subclasses of ModelAdmin
. Note that all of these methods receive the current HttpRequest
object as an argument, allowing for customization based on the specific authenticated user:
queryset(self, request)
: Should return aQuerySet
for use in the admin's list of objects for a model. Objects not present in thisQuerySet
will not be shown.has_add_permission(self, request)
: Should returnTrue
if adding an object is permitted,False
otherwise.has_change_permission(self, request, obj=None
): Should returnTrue
if editingobj
is permitted,False
otherwise. Ifobj
isNone
, should returnTrue
orFalse
to indicate whether editing of objects of this type is permitted in general (e.g., ifFalse
will be interpreted as meaning that the current user is not permitted to edit any object of this type).has_delete_permission(self, request, obj=None
): Should returnTrue
if deletingobj
is permitted,False
otherwise. Ifobj
isNone
, should returnTrue
orFalse
to indicate whether deleting objects of this type is permitted in general (e.g., ifFalse
will be interpreted as meaning that the current user is not permitted to delete any object of this type).
For public-facing (i.e., non-admin) views, you are of course free to implement whatever form of permission-checking logic your application requires.