== Row-level permissions model == The row-level permissions system uses generic relations to decrease the number of tables to only one. The generic relations allow us to create row-level permissions with any instance of any model and connect it to an "owner" object. To allow more freedom, the owner object is also a generic relation. This means that you can use your own models as an owner of a row-level permission. The actual model code is below: {{{ #!python class RowLevelPermission(models.Model): model_id = models.PositiveIntegerField("'Type' ID") model_ct = models.ForeignKey(ContentType, verbose_name="'Type' content model", related_name="model_ct") owner_id = models.PositiveIntegerField("'Owner' ID") owner_ct = models.ForeignKey(ContentType, verbose_name="'Owner' content model", related_name="owner_ct") negative = models.BooleanField() permission = models.ForeignKey(Permission) model = models.GenericForeignKey(fk_field='model_id', ct_field='model_ct') owner = models.GenericForeignKey(fk_field='owner_id', ct_field='owner_ct') objects = RowLevelPermissionManager() class Meta: verbose_name = _('row level permission') verbose_name_plural = _('row level permissions') unique_together = (('model_ct', 'model_id', 'owner_id', 'owner_ct', 'permission'),) }}} This does not modify the current permissions table at all, and can be layered on top of it if the developer wishes to but it can be ignored easily. == How row permissions are enabled == Row permissions are enabled using the meta class, please see RowLevelPermissions for more information on how to enable them. How this is done is in django.db.models.base.ModelBase under {{{__new__}}} is the following snippet: {{{ #!python if getattr(new_class._meta, 'row_level_permissions', None): from django.contrib.auth.models import RowLevelPermission gen_rel = django.db.models.GenericRelation(RowLevelPermission, object_id_field="model_id", content_model_field="model_ct") new_class.add_to_class("row_level_permissions", gen_rel) }}} {{{django.db.models.options.Options}}} has been modified to set {{{row_level_permissions}}} as disabled by default. == Owner objects == Currently, you can set up an owner by including the following relation: {{{ #!python row_level_permissions_owned = models.GenericRelation(RowLevelPermission, object_id_field="owner_id", content_model_field="owner_ct", related_name="owner") }}} I might be changing this around in the near future, but I only expect it to be used a few times, and I don't see a large need to make this a similiar process to the enabling of row-level permissions on objects. Please give feedback if you think otherwise. == Checking of row-level permissions == Checking of RLP are done in the following order: User RLP->Group RLP->User Model Level->Group Model Level. Stopping at the first positive or negative. The {{{has_perm()}}} method has been modified to now check for row-level permissions and has an optional parameter for a model instance, which is required to check row-level permissions. {{{ #!python def has_perm(self, perm, object=None): "Returns True if the user has the specified permission." if not self.is_active: return False if self.is_superuser: return True if object and object._meta.row_level_permissions: row_level_permission = self.check_row_level_permission(perm, object) if row_level_permission is not None: return row_level_permission return perm in self.get_all_permissions() }}} The check_row_level_permission checks the user RLPs first and then checks the group RLPs. The user RLPs are determined by using a filter method. The group RLP uses an SQL query that works out to be: {{{ #!sql SELECT rlp."negative" FROM "auth_user_groups" ug, "auth_rowlevelpermission" rlp WHERE rlp."owner_id"=ug."group_id" AND ug."user_id"=%s AND rlp."owner_ct_id"=%s AND rlp."model_id"=%s AND rlp."model_ct_id"=%s AND rlp."permission_id"=%s; }}} == Integration into administration application == Being worked on. Will post when it is complete or near enough to have a better idea. == Test cases of row-level permissions == === API === || '''Test Case''' || '''Status'''|| ||Creating RLP using manager's create method||Pass|| ||Creating RLP using manager's default permission create method||Pass|| ||Creating RLP using init method||Pass|| ||Loading RLPs from object||Pass|| ||Loading RLPs from owner(user)||Pass|| ||Loading RLPs from owner(group)||Pass|| ||Deleting RLP||Pass|| ||Checking of Permissions(will expand on)||Pass|| ||Duplicate RLPs(causes error)||Pass|| ||Enabling RLPs||-|| === Admin === || '''Test Case''''''Status'''|| ||Creating RLP||-|| ||Creating RLP w/ wrong permissions||-|| ||Deleting RLP||-|| ||Editing RLP||-|| ||Duplicate RLPs by creating duplicate||-|| ||Duplicate RLPs by editing||-||