-
-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add generic ModelPermissionTester
based on PagePermissionTester
#10578
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Manage this branch in SquashTest this branch here: https://laymonagegeneric-tester-4njs4.squash.io |
laymonage
force-pushed
the
generic-tester
branch
5 times, most recently
from
July 20, 2023 10:01
087b75a
to
6ce4339
Compare
5 tasks
laymonage
force-pushed
the
generic-tester
branch
from
August 4, 2023 13:35
6ce4339
to
697468e
Compare
laymonage
force-pushed
the
generic-tester
branch
2 times, most recently
from
November 16, 2023 15:21
5762109
to
8a718a7
Compare
laymonage
force-pushed
the
generic-tester
branch
from
February 19, 2024 16:01
8a718a7
to
15b5d32
Compare
…missionPolicy and ModelPermissionPolicy
…() and can_unpublish()
This allows PagePermissionTester to use most of the base can_edit logic. This is also useful if we might want to e.g. extract OwnershipMixin from the Page model in the future
… message for snippets
…ng ModelPermissionTester
This was referenced May 16, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Our recent discoveries seem to suggest that we won't get rid of
PagePermissionTester
. If that's the case, it's likely that we want to use the same approach for non-page models.This PR adds a generic
ModelPermissionTester
that works likePagePermissionTester
, which does permission checks that also take into account the current circumstances of the object (e.g. workflows, lock state, etc.) and not just thePermission
s.Marking as draft since I'm still not convinced of the approach. A few thoughts:
PagePermissionTester
, which now in turn relies onPagePermissionPolicy
.PagePermissionTester
is used for permission checks both at the beginning of a view (e.g.raise PermissionDenied
at the start ofdispatch()
if the permissions do not satisfy) and for "action"-specific checks for the object, e.g. whether the user can lock, unschedule, etc. which may or may not map directly to aPermission
.ModelPermissionPolicy
viaPermissionCheckedMixin
. This combo basically only checks whether the user has the specified permission codename for the model, without taking into account the object's circumstances.PermissionCheckedMixin
to have separateuser_has_permission()
method in 0f0ecb4. Then, it is overridden inCreateEditViewOptionalFeaturesMixin
to allow similar logic fromPagePermissionTester
to short-circuit/build upon the checks done by the permission policy:wagtail/wagtail/admin/views/generic/mixins.py
Lines 269 to 304 in 61f0f4d
ModelPermissionTester
, where and how does it fit intoPermissionCheckedMixin
(or any other view class)? Also, note thatPermissionCheckedMixin
rely on strings that map directly to thePermission
's action part of the codename (e.g.permission_required = "change"
, while{Foo}PermissionTester
relies on the method names, e.g.can_edit()
.{Foo}PermissionTester
fit in the grand scheme of things, now that we have permission policies for all Wagtail-managed models? IsPermissionTester
really the name we want to call this kind of classes?{Foo}PermissionTester
currently accept the user and the object instance in the__init__
. I encountered a problem with the "create" view, whereself.object
isNone
, so the permission tester can't work properly.PagePermissionTester
instance is created using the parent page, and then a method liketester.can_add_subpage()
is used.None
as the object).self.permission_policy.model
(or the policy can also supply it during instantiation). This can be used for fallback logic when the object isNone
.{Foo}PermissionTester
to work withNone
as the object seems like an anti-pattern. Perhaps the view should decide to use the plain policy whenself.object
isNone
, and use the tester when theself.object
is available? But this means that the object needs to be fetched first... maybe just separate the logic/check based on what the view is (create vs. edit)?Page
has apermissions_for_user()
method that returns thePagePermissionTester
object for the page and user, which is convenient. We can't do the same for non-page models (unless we patch the method to the model, which seems hacky). UsingModelPermissionTester(user, object)
works though, and I'd say it isn't so bad.Please check the following:
make lint
from the Wagtail root.Please describe additional details for testing this change.
Footnotes
Development Testing ↩
Browser and device support ↩
Accessibility Target ↩