ansaurus

Question

Answer 1

+4 A:

Django already has a groups and permissions system, which may be sufficient for your purpose.

http://docs.djangoproject.com/en/dev/topics/auth/

Generally in your code you check if a user has a permission. A user has his own permissions and those of the groups he belongs to. You can administer this pretty easily from the admin console.

There are two parts you need to look at.

Check that a user requesting a page has permission to do so.
Only display links to the user if he has the permission.

For 1. you can check permissions in a decorator as such:

from django.contrib.auth.decorators import user_passes_test

@user_passes_test(lambda u: u.has_perm('polls.can_vote'))
def some_view(request):

For 2. the currently logged-in user's permissions are stored in the template variable {{ perms }}. This code checks the same permission as above.

{% if perms.polls.can_vote %}
    <a href="/vote">vote</a>
{% endif %}

To generate a list of links you can iterate over user.get_all_permissions() and fetch the links (or function that generates the link) from a dict:

def more_elaborate_list_of_links_for_a_perm(user):
    return ["/link1", ...]

_LINKS = {
        'polls.can_vote' : lambda u: ["/user/specific/link/" + u.id],
        'polls.can_close': lambda u: ['/static/link/1', 'static/link/2'],
        'polls.can_open' : more_elaborate_list_of_links_for_a_perm
    }

def gen_links(user):
    userlinks = []
    perms = user.get_all_permissions()
    #get_all_permissions also gets permissions for users groups
    for p in perms:
        if _LINKS.has_key(p):
            userlinks.extend(_LINKS[p](user))

    return userlinks

There are probably many other approaches.

mbarkhau 2009-10-10 01:00:28

How would you generate a list of links to provide a user using django's built-in permissions system?

slypete 2009-10-10 01:14:09

For the record, I did not select this answer as the best. I don't think it is.

slypete 2009-11-03 08:48:34

Answer 2

A:

If you don't need real per-object ACLs, then you can just use the Django permission system. To get a list of all available permissions:

from django.contrib.auth.models import Permission
perms = Permission.objects.all()

There is an API for other authentication and authorization sources, so you do not need to stick with this permissions table.

You may hack this Django system to fit your needs in terms of this authorization model (RBAC) or you may come up with an ACL-like solution.

Andrey Vlasovskikh 2009-10-10 02:04:00

any hint for a per-object acl ?

gpilotino 2009-11-02 12:54:07

Answer 3

+3 A:

We had a similar problem. Django's groups aren't REALLY suited to this, but you can shoehorn them in.

The way we did it was as follows:

Every access-controlled object has a ManyToMany relation to the groups table. Each group was used to define a specific type of permission ("can view patient basics", "can edit patient contact info", and so on). Users are added to the groups that they should have permissions for (in your example of seeing only patients in this hospital, you could have a "valley-view-hospital" group).

Then when you go to display a list of records to a user, you filter based on the conjunction of the two groups. A user has to have all the associated group permissions to view a given object.

If your system requires it, you can keep a separate ManyToMany of negative permissions, or separate read/write permissions. You could also define a set of meta-groups (doctor, nurse) that result in your lookup filter retrieving the actual subset of permissions.

As far as your link-bar problem goes, you can generate those programatically using the same system - filter based on the classes of objects the user can see or edit, and then use a get_absolute_url() type function (maybe call it get_index_url()) to return the links for the index of each class of object.

Because all this is fairly complex, you'll probably end up wanting to do some level of caching for these things, but get it working before you bother optimizing. It is possible, and it's less ugly in code than it is in words.

Paul McMillan 2009-10-29 06:01:03

Answer 4

+1 A:

I had a similar problem not too long ago. Our solution did the trick, though it might be too simple for your situation. Like everyone is suggesting, we used the django permission system to control what user interactions with models. However, we didn't just try to group users, we also grouped objects through a GenericForeignKey.

We built a model that linked to itself to allow for hierarchies to be developed.

class Group( models.Model ):
    name = models.CharField( ... )
    parent = models.ForeignKey( 'self', blank=True, null=True)
    content_type = models.ForeignKey( ContentType )
    object_id = models.PositiveIntegerField()
    content_object = generic.GenericForeignKey( 'content_type', 'object_id' )
    ...

To make it work, we also created a model to serve as the django User model's user profile. All it contained was a ManyToManyField linked to the Group model above. This allowed us to give users access to zero or more Groups as required. (documentation)

class UserProfile( models.Model ):
    user = models.ForeignKey( User, unique=True )
    groups = models.ManyToManyField( Group )
    ...

This gave us the best of both worlds and kept us from trying to shoehorn everything into django's permission system. I'm using this basic setup to control user's access to sports content (some users can access whole leagues, some only one or two conferences, some only have access to individual teams), and it works well in that situation. It could probably be a generalized enough to fit your needs.

Thomas 2009-10-30 04:23:28

Answer 5

A:

On a site for an expert on Pinot Noir wine we created per-object access based on a number of different criteria. If the inbound link had a referer field that matched the domain name of a featured winery, then the user got a 'winery token' which expanded to all articles, tasting notes, etc. related to that winery. We use 'named tokens' for give aways at tasting events and they gave access to specific parts of the site. We even use this to grant certain types of permissions to search engine spiders and then make sure that links that come from those search engines have the same permissions as the spider did (ie. no cloaking games).

The short version is that you can create a class (we called them TokenBuckets which hold Tokens) and each object (on a detail page, or a list page, or whatever) can ask the user's TokenBucket if a certain level of access is allowed.

Basically it's a weird kind of ACL system. It wasn't that hard to create the mechanics. All of the magic is in determining under what circumstances which tokens go into the bucket.

Peter Rowell 2009-10-30 04:37:54

Answer 6

A:

We used a role base system for a similar problem. Basically users have permissions to assume different roles.

View functions got decorated:

def needs_capability(capability,redirect_to="/cms/"):
   def view_func_wrapper(view_func):
       def wrapped_view_func(request,*args,**kwargs):
           if not request.role._can(capability):
              return HttpResponseRedirect(redirect_to)
           return view_func(request,*args,**kwargs)
       return wrapped_view_func
   return view_func_wrapper

The rest of the magic is inside the request.role attribute which got set inside a context processor. Authenticated users got a Role, for the unwashed masses a DummyRole.

Access to information was restricted further inside the templates:

 {% if not request.role.can.view_all_products %}
          Lots of products, yeah!
 {% endif %}

Not the cleanest solution in my opinion, but worked as expected.

phoku 2009-11-02 12:43:57

Answer 7

+2 A:

Hi

Theres a new very interesting project about role based permissions in django

http://nomadblue.com/projects/django-rbac/

hope you like it

jujule 2009-11-02 16:39:19

ansaurus

tags:

views:

answers:

Django role based views?

related questions