Object Permission in Django

django

django 自己提供的 permission 系統是 "model permission"
那些 add, change, delete 的權限是認 model(也就是該 model 下的所有 objects)
因為這個 permission 系統是用在 admin 裡面的

如果要用 "object permission"
可以用 django-guardian
針對每個 object 設定不同的權限

ref:
https://docs.djangoproject.com/en/dev/topics/auth/default/#permissions-and-authorization
http://www.cnblogs.com/esperyong/archive/2012/12/20/2826690.html

django-guardian

如果是 superuser
對所有 permission 的 has_perm() 都會是 True

class Label(models.Model):
    """
    廠牌
    """

    user = models.ForeignKey(User, related_name='labels')
    name = models.CharField(_(u'name'), max_length=100)

    class Meta:
        verbose_name = pgettext_lazy(u'DPS model name', u'label')
        verbose_name_plural = pgettext_lazy(u'DPS model name', u'labels')
        permissions = (
            ('view_label', 'View label'),
        )

django 默認會幫每個 model 建立三種 permission(所謂的 codename)

  • add_modelname
  • change_modelname
  • delete_modelname
# permission format: app_label.codename
user.has_perm('sites.change_site')  # by django
user.has_perm('sites.change_site', site)  # by django-guadian

每個 model object 被建立之後是沒有 object permission 的

要手動建立
通常會透過 signal 的方式去做

from django.db.models.signals import post_save
from django.dispatch import receiver

from guardian.shortcuts import assign_perm

@receiver(post_save, sender=Label)
def create_label_permission(instance, **kwargs):
    if not kwargs['created']:
        return

    label = instance

    assign_perm('view_label', label.user, label)
    assign_perm('change_label', label.user, label)

get objects by permission

from guardian.shortcuts import get_objects_for_user

labels = get_objects_for_user(request.user, 'dps.view_label')

ref:
https://github.com/lukaszb/django-guardian
http://django-guardian.readthedocs.org/