1

I want to make use of django-guardian's object permissions and grant specific rights for specific users to one or more Django users.

I have tried to add some permissions to my Process class like this:

class TestProcess(Process):
    title = models.CharField(max_length=64)

    something = models.ForeignKey(ForInheritage, null=True, on_delete=models.CASCADE)
    no_approval = models.BooleanField(default=False)
    approved = models.BooleanField(default=False)

    def something_is_approved(self):
        try:
            return self.something.approved
        except:
            return None

    class Meta:
        permissions = (
            ('view_process', 'View Process'),
        )

Unfortunately this causes viewflow to immediately throw an error after starting runserver: 

File "/home/me/.virtualenvs/viewflow3/lib/python3.4/site-packages/viewflow/mixins.py", line 253, in ready
    self.flow_class.process_class._meta.permissions.append(
AttributeError: 'tuple' object has no attribute 'append'

My initial plan was to subclass Start and View flow classes to change how the Permission function, that is inherited from the PermissionMixin, works. But this seems to be more work than just this, too.

django-guardian is already mentioned in one of the cookbook sections here but currently leads to a 404 page.

What would be the recommended/cleanest way to use guardian permissions on Processes and Tasks?

Hi Hi
  • 366
  • 4
  • 20

1 Answers1

1

Your specific problem happens b/c you specify permissions like a tuple, try list instead

class Meta:
    permissions = [
        ('view_process', 'View Process'),
    ]

Viewflow already adds the 'view' and 'manage' permissions so you can reuse them.

But further restriction per-process view permissions on the object level with django-guardian is not very practical. On each new process creation, in a start view, you will have to grant view permission to all process participant. That leads to hudge permission table grows and slow down the permissions lookup.

The reasonable use case for the object-level permission could be something like to restrict user access to a task based on a user department, for example.

deliver = flow.View(
    views.deliver
).Permission(
    'parcel.land_on_planet',
    obj=lambda process: process.department
).Next(this.report)
kmmbvnr
  • 5,863
  • 4
  • 35
  • 44
  • I get that setting it for each user can lead to far too large permission tables, but I would want to set the permissions based on groups for the most part (`assign_perm('change_task', group, task)` in django-guardian). Is this possible as of now? An example would be having different shipment companies. ShipmentCompanyX (object of `model` 'ShipmentCompany') would have a corresponding `group` ShipmentCompanyXGroup with the `permission` "view_company". When creating new processes/tasks I would like to add to something like "view_task" for this task to said group. – Hi Hi Feb 27 '17 at 08:37
  • view permissions in the viewflow are not object-based. – kmmbvnr Mar 02 '17 at 11:13