Django permissions

Asked 25/1, 2012 at 13:52 Answered 3/12, 2013 at 19:31

django django-models django-admin django-permissions

I would love to have more granular permission in my Django project, but can't decide what app to use. What I have is something like:

class Item(models.Model):
    name = models.CharField(max_length=64, unique=True)
    description = models.CharField(max_length=128, default='')
    logo = ImageField(upload_to=/tmp, blank=True, null=True)

Now with Django standard permissions I have the possibility to choose between add, change and delete, what I want to have is an extended change permission, to offer the ability to give group rights only to change the logo for example, but disallow that same group to modify the item description. I don't want or need a user to entry relation, but simply give the possibility to different groups to edit single fields of a model using the standard admin interface. I'm even not sure if I am talking about per-object permission?

Does anyone know what's best to use or how I would implement it myself? I could also imagine to have read-only users who can access/read everything but won't be able to modify, this isn't possible neither.

Thanks for any help.

Philipp answered 25/1, 2012 at 13:52 Comment(2)

No, these aren't object-level permissions. Short answer: might be doable, but it's a lot of code. Long answer: You can't do what you're describing in a vanilla django admin. One approach would be to hook up separate ModelAdmins with the relevant fields enabled to separate AdminSite instances. I think you'll likely have to subclass AdminSite to have it check against your groups, and hard-code the permissions that each group has - django's built-in permissions don't have a concept of allowed/disallowed fields. – Coexist 25/1, 2012 at 14:9

Thank you very much for the expected answer and confirmation. I will look forward to implement separate AdminSite sub-classes to achieve my task. – Philipp 25/1, 2012 at 14:18

The most flexible but way would be to:

write some custom permissions (i.e. can_modify_descr)
write yur own Forms or ModelForms
write Views to render your specified forms.
finally you'd have to override some django admin templates and render your Forms in templates that extend some standard django admin templates.

As far as I can see this is the only way to achieve what you want, but also requires a lot of work.

Monotheism answered 25/1, 2012 at 14:13 Comment(1)

Thanks, you can do it also the way described by AdamKG. This way is much easier, as you don't have custom views and corresponding templates. – Philipp 25/1, 2012 at 14:20

One simple way to achieve that is to create many ModelAdmin for the same model (one for each "group"). To do that you need to create one Proxy Models for each "group" like this:

models.py

class Item(models.Model):
    name = models.CharField(max_length=64, unique=True)
    description = models.CharField(max_length=128, default='')
    logo = ImageField(upload_to=/tmp, blank=True, null=True)

class ItemGroup1(Item):
    class Meta:
        proxy = True

admin.py

class ItemAdmin(models.ModelAdmin):
    ...

class ItemGroup1Admin(models.ModelAdmin):
    readonly_fields = ('logo', 'description')

And then you just need to set the permissions of group 1 to only have access to ItemGroup1, etc.

See this post for more info: Using Proxy Models to Customize the Django Admin

Hollis answered 25/1, 2012 at 17:44 Comment(0)

If you want to handle this sort of thing beyond your admin site, take a look at django-logical-rules, where you can write your rules in python and access them from views or within a template;

Nadanadab answered 3/12, 2013 at 19:31 Comment(0)

Recommended topics

Hot tags