Login

Tag "permissions"

22 snippets

Snippet List

AdminPeepingMiddleware

Peeping middleware, that replaces active user to another one for current http request. Admin permissions required to activate, so you can place this snippet even on the production server. Very useful for debugging purposes. Wish it to be part of Django. How to use: Put this middleware after all other middlewares in the list. Then just add ?as_user=username or &as_user=username to the url, where username is the name of user whose views you want to see.

  • middleware
  • admin
  • view
  • permissions
  • peep
Read More

Generic CBV Permissions Helper

A permission helper that can be included in any generic CBV, it uses the model attribute of the class to load all the permissions and tests a user can perform that action before dispatching the view.

  • permissions
Read More

CBV decorator from view function decorator

The Mixin approach for applying permissions to CBV views suffers from 3 issues: 1. you need to read the code to see what permissions are being applied to a View 2. multiple bits of disparate code required to specify, e.g., a simple permission check 3. permissions set on a base class are overridden by permission set on sub-class, unless special care is taken Here's a nice trick, using only built-in django machinery, apply a decorator intended to decorate a django view function to a CBV view. https://docs.djangoproject.com/en/1.11/topics/class-based-views/intro/#decorating-the-class This approach works for any function decorators with arguments - simply wrap it in a function that takes the same arguments: def my_cbv_decorator(*args **kwargs): return method_decorator(a_view_function_decorator(*args, **kwargs), name='dispatch') Use your new CBV decorator to decorate View sub-classes: @my_cbv_decorator('some_parameter') class MyCBView(django.views.generic.TemplateView): pass # dispatch method for this view is now wrapped by a_view_function_decorator Note: you can also pass decorator parameter directly to method_decorator, but wrapping it up like this makes the code read nicer.

  • view
  • decorator
  • permissions
  • cbv
Read More

Mixin to enable admin permissions without using PermissionsMixin and models

Implements necessary permission checks on a user model to be compatible with django admin, but just return true on all permissions without actually checking it against anything. Useful when you have a user model that should always be allowed to use django admin, and you don't care about using django's own PermissionsMixin and don't want to have those models added to your database.

  • admin
  • mixin
  • permissions
Read More

FieldLevelPermissionsAdmin

Have you ever needed to customize permissions, for example, allow only some fields for editing by some group of users, display some fields as read-only, and some to hide completely? FieldLevelPermissionsAdmin class does this for newforms-admin branch. Not tested well yet (>100 LOC!). You typically would like to use it this way: class MyObjectAdmin(FieldLevelPermissionsAdmin): def can_view_field(self, request, object, field_name): """ Boolean method, returning True if user allowed to view field with name field_name. user is stored in the request object, object is None only if object does not exist yet """ ...your code... def can_change_field(self, request, object, field_name): """ Boolean method, returning True if user allowed to change field with name field_name. user is stored in the request object, object is None only if object does not exist yet """ ...your code... def queryset(self, request): """ Method of ModelAdmin, override it if you want to change list of objects visible by the current user. """ mgr = self.model._default_manager if request.user.is_superuser: return mgr.all() filters = Q(creator=request.user)|Q(owner=request.user) return mgr.filter(filters)

  • newforms
  • admin
  • field
  • permissions
  • workflow
  • customize
  • customization
  • field-level
  • row
Read More

Row-Level, URL-based permissions for FlatPages

I'm using Django's FlatPages, but I want to be able to restrict admin access to Users based on a FlatPage url. For example, User John Doe should be able to edit any FlatPage objects whose URL begins with `/johndoe/` (such as `/johndoe/about/` or `/johndoe/projects/whatever/`). For this to work, John Doe would already need the appropriate admin permissions for FlatPage (such as can_add and can_change). I have set this up as a separate *flatpage_addons* app. It consists of the **Permission** model, which maps a starting URL to one or more django Users. It consists of the minimal necessary admin code so Permissions can be created using the admin. The bulk of this code consists of the *ifhasflatpagepermission* template tag as well as the *flatpage_result_list* inclusion tag. The former works much like django's existing *if*, *else*, *endif* tags while the latter is modified from the django admin's *result_list* inclusion tag. This may not be the most elegant solution to my problem, but so far it works for me. Any comments or suggestions are welcome!

  • urls
  • url
  • permission
  • permissions
  • flatpage
  • flatpages
Read More

Group permissions selection in admin filtered by your app models

Sometimes you just don't want to display every permission django has, you just want a short list showing the permissions for some of your apps (or even django core apps). GROUP_PERMISSIONS_MODELS must be a list of your app models. Dotted path (in lowercase) required, app name + model *class* name.

  • admin
  • group
  • permissions
Read More

Generic views with row-level permission handling

These generic views extend default views so that they also do permission checking on per-object basis. * detail, update and delete - check access for user * create - create permissions for user on object * list - narrow object list with permissions Classes prefixed with Owned are example implementation where user has access to object if designed object attribute references him. Example: `create_article = OwnedCreateView.as_view(owner='creator', model=Article, form_class=ArticleForm, success_url='/articles/article/%(id)d')`

  • generic-views
  • permissions
Read More

Update ContentTypes and Permissions without syncdb

[See blog post](http://paltman.com/2008/04/11/keeping-contenttypes-and-permissions-updated-without-syncdb/) You can put this script in the root of your project and run after deploying updates in your production environment.

  • sql
  • permissions
  • deploy
  • contenttypes
Read More

Class based generic views that automatically check permissions

Simple wrappers around the new class-based generic views (introduced in Django 1.3) that also check permissions. **Example Usage** *(views.py)*: from mymodule import RestrictedListView, RestrictedUpdateView class MyListView(RestrictedListView): model = MyModel class MyUpdateView(RestrictedUpdateView): model = MyModel and so on for Create and Delete.

  • generic-views
  • permissions
  • class-based
Read More