0

Am using django-permission on simple test app (almost identical to the example used in the docs) to try to figure out how it works. I have read the documentation and tried to use the example app provided on this link.

The issue is when the author of an article is not able to edit/ delete the article.

The user in question has been granted all permissions in the admin section.

Key code listed below - any help much appreciated

test_app/models.py

class Article(models.Model):
    created_by = models.ForeignKey(User)
    created = models.DateField(auto_now_add=True)
    modified = models.DateField(auto_now=True)
    title = models.CharField(max_length=100)
    content = models.TextField()

    class Meta:
        app_label = 'test_app'

from permission import add_permission_logic
from permission.logics import AuthorPermissionLogic

add_permission_logic(Article, AuthorPermissionLogic(
    field_name='created_by',
    any_permission = False,
    change_permission = True,
    delete_permission = True,
))

test_app/views.py

@permission_required('change_article')
def change_article(request, *args, **kwargs):
    pk = kwargs.pop('pk')
    template = 'test_app/edit.html'
    article = models.Article.objects.get(id=pk)

    if request.method == 'POST':
        form = forms.Article_form(request.POST, instance=article)

        if form.is_valid():
            article = form.save(commit=False)

            article.created_by = request.user
            article.title = form.cleaned_data['title']
            article.content = form.cleaned_data['content']

            article.save()

            return HttpResponseRedirect('/test/')

        else:

            raise Http404

    else:
        form = forms.Article_form(instance=article)

        return render(request, template_name=template, context={'form':form})

test_app/perms.py

PERMISSION_LOGICS = (
    ('test_app.Article', AuthorPermissionLogic()),
)

EDIT

In the end there is a longer discussion on the project Github page available on this link.

While the objective of the question was resolved - it turns out that the function itself is a bit of a legacy function that is prone to unexpected behavior. The advice of the project owner is to use class based views rather than function based views.

dj.bettega
  • 117
  • 1
  • 1
  • 11
  • 1
    Shouldn't the permission have a prefix, e.g. `@permission_required('testapp.change_article')`? – Alasdair Apr 05 '18 at 10:59
  • Whhhaaat!? That is outrageous :) - yes this solved the issue of the author not being able to edit their own article. However, it seems to allow every other user to edit the article. – dj.bettega Apr 05 '18 at 11:16
  • What does your `AUTHENTICATION_BACKENDS` setting look like? Can other users still edit the article if you remove `'permission.backends.PermissionBackend'` from it? – Alasdair Apr 05 '18 at 11:18
  • AUTHENTICATION_BACKENDS = ( 'django.contrib.auth.backends.ModelBackend', 'permission.backends.PermissionBackend', ) – dj.bettega Apr 05 '18 at 11:21
  • When I comment out 'permission.backends.PermissionBackend - I get a bunch of errors from django-permission django.core.exceptions.ImproperlyConfigured: "permission.backends.PermissionBackend" is not found in `AUTHENTICATION_BACKENDS`. Users require to specify the backend manually to the option. Users can ignore this exception via setting `False` to `PERMISSION_CHECK_AUTHENTICATION_BACKENDS`. – dj.bettega Apr 05 '18 at 11:23
  • Have disabled the permissions check as per instruction - so the error has gone away. But it does not change the behavior – dj.bettega Apr 05 '18 at 11:26
  • If you can't fix those errors you could try commenting out `'django.contrib.auth.backends.ModelBackend'` instead. It sounds like other users can edit the article because of regular Django permissions assigned through the Django admin, so was just trying to test out that idea. – Alasdair Apr 05 '18 at 11:27
  • Commenting out the 'django.contrib.auth.backends.ModelBackend' results in the user not being able to log in (sorry I am not sure if it is relevant but I have extended the base user with a profile model linked via a foreign key) – dj.bettega Apr 05 '18 at 11:33
  • I wasn’t suggesting you commented out ``ModeBackend` permanently, it was just for debugging. But that won’t work if it causes the user to be logged out immediately. – Alasdair Apr 05 '18 at 12:02
  • Please show the permissions for the other users in the Django admin. – Alasdair Apr 05 '18 at 12:04
  • No worries - am happy for the help! Admin permissions are simple enough - have been playing around with 3 users. User 1 has add/edit/delete perms in the admin. User 2 has the same permissions. User 3 has no permissions related to the app (yet is able to edit) – dj.bettega Apr 05 '18 at 12:14
  • Note if User 3 is a superuser then they will have all permissions. – Alasdair Apr 05 '18 at 12:40
  • Nope - not a superuser. I am suspecting that the app is not taking any of the permissions into account. I have tried changing the models.py line so that the "change_permission = False," - this does not affect the behavior... grrr – dj.bettega Apr 05 '18 at 12:47

1 Answers1

1

I don't really get what

The user in question has been granted all permissions in the admin section.

means (not sure what "admin section" is) but

  1. You don't need perms.py while you already add a permission logic in your models.py.

  2. You need to use test_app.change_article instead (<app_label>.<perm>_<model_name>)

By the way, while you don't need perms.py so it's not a matter but the instance of AuthorPermissionLogic in perms.py is not properly configured while you haven't specified field_name there (the default value of field_name is 'author' if you don't specified.) https://github.com/lambdalisue/django-permission/blob/master/src/permission/conf.py#L24

Λlisue
  • 125
  • 1
  • 6
  • Thanks Alisue - have posted on the project Github page. Will reference/ link this discussion with that one. https://github.com/lambdalisue/django-permission/issues/81 – dj.bettega Apr 06 '18 at 07:10