0

I'm using a ManyToManyField for an access_list on my site:

class Projects(models.Model):
    access_list = models.ManyToManyField(User)

and in my Views.py I'm saving the user who's created the Project into the access_list, then I display the users in the access_list on the access_update.html page, where a user may add in another name to submit to the access_list, allowing more collaborators. There's also a Remove User button so you can remove users from the access_list.

My big concern though is that right now, if a user is on the access_list, they could go in and remove the original creator from the access_list and deny them access to the project.

I wanted to have a created_by = models.ForeignKey(User) as backup, so that my permission would be based on created_by OR access_list, but trying to have a ForeignKey(User) and a ManyToManyField(User) won't validate on the model.

Is there a better way to keep the user who's created the project from being booted off the list, while still allowing users to have the ability to cull their collaborators list?

Jason B
  • 345
  • 1
  • 5
  • 13

1 Answers1

0

You can put a related_name on your field and it should validate:

access_list = models.ManyToManyField(User, related_name='user_access_list')
dan-klasson
  • 13,734
  • 14
  • 63
  • 101
  • My ManyToManyField validates now, that setup works, the problem is more that any user in the ManyToManyField can remove any other user from the ManyToManyField, including themselves, and what's what I'd like to prevent. a "created_by = Models.ForeignKey(User)" would help because I could set permission to access_list *or* created_by, but I can't have a ForeignKey(User) and a ManyToManyField(User) in the same model. – Jason B Aug 08 '13 at 17:25
  • So what you would like is to hide `access_list` on the change view and stop them from saving to it on the model? – dan-klasson Aug 08 '13 at 17:31
  • I'd like people who arein the access_list to be able to add or remove users from the access_list, but I want protection for the person who originally created the project so a nefarious person on the access_list can't remove everyone from said access_list and disable the entire project. Right now if you create a new project, you're saved into the access_list, and you can add other users to it. But another user on that list might remove the original user. I'd like some kind of way to prevent that – Jason B Aug 08 '13 at 17:42