How to show specific information to specific users using permissions in Django

Question

I have a menu in my application (django-console menu) and I would like to restrict access to its elements (and also don't show the models) but Reports for regular users. If a user is superuser let him see everything ( Users, Inventory ... see settings.py). How can I do this ?

# admin.py

...
class UserAdmin(admin.ModelAdmin):
    list_display = (
        'user',
    )


class PaymentAdmin(admin.ModelAdmin):
    list_display = (
        'user',
    )

    pass

...

admin.site.unregister(User)
admin.site.register(Message, MessageAdmin)
admin.site.register(Country, CountryAdmin)
admin.site.register(Payment, PaymentAdmin)
admin.site.register(Server, ServerAdmin)
admin.site.register(User, CustomUserAdmin)
admin.site.register(Package, PackageAdmin)
admin.site.register(PackageRoute, PackageRouteAdmin)

And here is a relevant part of models.py:

# models.py

...
class Message(models.Model):
    class Meta:
        app_label = 'myprox'

    date_created = models.DateTimeField(null=False, default=datetime.utcnow)
    title = models.CharField(max_length=256, null=False, blank=False, default="Message Title")
    content = models.TextField(null=False, blank=True, default="Message Content")
    has_url = models.BooleanField(default=False)
    is_sticky = models.BooleanField(default=False)
    is_persistent = models.BooleanField(default=False)
    is_active = models.BooleanField(default=False)
    is_generic = models.BooleanField(default=True)
    time_shown = models.IntegerField(default=1, null=True, blank=False)
    specific_to_plan = models.CharField(max_length=256, null=False, blank=True)
    url = models.CharField(max_length=256, null=True, blank=True)

    def __unicode__(self):
        return self.content

And now settings.py:

# settings.py

ADMIN_MENU = [
    {
        'name': 'Users',
        'models': [
            'User',
            'Message',
            'Payment',
        ],
        'icon': 'icon-user'
    },
    {
        'name': 'Inventory',
        'models': [
            'Country',
            'Server',
            'Package',
            'blog.post'
        ],
        'icon':'icon-user'
    },
    {
        'name': 'Blog',
        'models': [
            'Post',
        ],
        'icon':'icon-user'
    },
    {
        'name': 'Reports',
        'models': [
            ('Users', '/console/reports/users'),
            ('Usage', '/console/reports/usage'),
        ],
        'icon':'icon-user'
    }
]

Answer 1

You should consider rewrite your ADMIN_MENU to something like:

[
    {
        'name': 'Users',
        'models': [
            'app1.User',
            'app2.Message',
            'app3.Payment',
        ],
        'icon': 'icon-user'
    },
    (...)
]

If you list the models using <app label>.<model name> notation, then you can check if the user has permissions to list each model, and then you'll know if you let him see each menu entry or not.

By example, in order to know if a user my_user may see the "Users" menu entry, you should check this boolean statement according to the docs:

my_user.has_perm('app1.list_user') and my_user.has_perm('app2.list_message') and my_user.has_perm('app3.list_payment')

That's one approach. Other way, a simpler one, could be using the auth.Permission model to create your custom permissions, one per each menu entry:

• menu.users
• menu.inventory
• menu.blog
• menu.report

So, in order to check which menu entries a user has permission to see, you must do something like:

if my_user.has_perm('menu.user'):
    # this user can see the Users menu entry
    pass

Here's the reference docs for Permission model.

Finally, I think maybe you could move the menu entries to your database and use some nice app like django-guardian or django-object-permissions to give each user permissions over some of that menu entry instances