Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Per-actions Permissions. #5

Open
carltongibson opened this issue Feb 27, 2023 · 7 comments
Open

Per-actions Permissions. #5

carltongibson opened this issue Feb 27, 2023 · 7 comments
Assignees
@carltongibson

Comments

@carltongibson
Copy link
Owner

Scenario:

  • Public access to List and Detail views.
  • Restricted access to edit views.

Needs a hook into ModelView.get_urls() since parsing the end-list to wrap the view callbacks isn't fun.
But the most vanilla approach is to wrap the view, rather than add a DRF-style check_permissions() hook on the view class itself.
@carltongibson
Copy link
Owner Author

carltongibson commented Feb 27, 2023
edited

Decorators take various kwargs.

        staff_member_required(..., login_url="/", redirect_field_name=None),

🔨: Using partial when defining a map?

@carltongibson carltongibson self-assigned this Feb 27, 2023
@tissieres
Copy link

Hello Carlton,
This is a functionality that I need for my current project. I was planning to implement something that relies on the built-in model permissions. Do you prefer something more generic using decorators? Maybe I could propose a PR, but I will need your guidance on how to do that first 😉

@carltongibson
Copy link
Owner Author

Hi @tissieres.

I'm still working on the details of the desired API here.

Normally I'd be very grateful for input but I do want to handle this one myself.

A first pass would be to implement a check_permissions and call that at the appropriate place in the view.

We're still at the early stage here so there's no wrong answers yet.

I know that's not very specific but I hope it helps.

@tissieres
Copy link

No problem. I will test some approaches on my side and if I find something really elegant, I'll come back to you. Thanks for neapolitan, fun project!

@carltongibson
Copy link
Owner Author

Thanks! Let me know what you come up with!

@tissieres
Copy link

That was simple finally:

    @classonlymethod
    def get_urls(cls):
        verbose_name = cls.model._meta.model_name
        app_label = cls.model._meta.app_label
        urlpatterns = [
            path(
                f"{verbose_name}/",
                permission_required(f"{app_label}.view_{verbose_name}")(
                    cls.as_view(role=Role.LIST)
                ),
                name=f"{verbose_name}-list",
            ),
            path(
                f"{verbose_name}/new/",
                permission_required(f"{app_label}.add_{verbose_name}")(
                    cls.as_view(role=Role.CREATE)
                ),
                name=f"{verbose_name}-create",
            ),
...

I also added a check of the permissions in the object_list template tag to restrict the actions and in the object_list.html template to remove the "add button" depending on them.

@carltongibson
Copy link
Owner Author

Yes, wrapping the view callbacks in get_urls() is a very good way to go!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@carltongibson carltongibson

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@carltongibson @tissieres