4

I want to write my own permissions in Django, I mean I want to define exactly what a user can or cannot do, I have read this enter link description here but it seems change_task_status is sth predefined in Django. for example, I want to define exactly users can have access to just get method of a view and just from row 1 to 8 of the database table, and sth like this. How can I do this?

Edit:

First of all, I did this with default permissions that are in auth_permission table in Django, for each model it creates permissions of add/view/change/delete in this table and I know that I can use it for my purpose. but I have two problems, first I don't want to use the default permission class od Django.contrib,auth model thus I want to create my own permission table (instead of auth_permissions I have mapp_permissions) it makes a problem for me now this new table is not filled with default permissions so I need to define permissions myself I mean I have to say what add_modelname means and also after I do this I need to define some new permissions that say for example for one model:user_x have permission view_modelname, users also have this permission but from data of this model which stored in database user_y just can see records of 1 to 8 of db table not all

Edit 2:

as you can see in permissions class comment it says:"it's not currently possible to say "Mary may only change news stories that have a certain status or publication date."" how can I make it possible? also, there should be a code inside Django files that define for the machine for example add_user which is in the table means what

user907988
  • 625
  • 1
  • 5
  • 17
  • What do you mean `and just from row 1 to 8 of the database table`? That example above shows you a template for writing a permission. You define permissions on the models, and then check if that user has the necessary permission using the function? You can apply the permissions to users (the rows 1 - 8, I assume) via the dashboard or via a migration. – Rodney Hawkins Dec 27 '18 at 09:36
  • please check my edit – user907988 Dec 27 '18 at 09:46
  • @Annabelle not sure why you wouldn't want to use the Django auth permissions table but if you do want to use a custom permissions table, you can no longer use the usual permissions defined in the model META class because those ones are added to the auth permissions table during migration. You would have to roll out a custom solution. As for your second requirement of row 1-8, it's also a strange one and does not fall into the type of permissions offered by the current permissions framework, but since you will be rolling out a new logic anyway, you can also implement that on your own – Ken4scholars Dec 27 '18 at 09:58
  • @Ken4scholars It means I need to solve my problem inside python and framework does not usefull for it? The big problem I have here is that where is the definition of permissions which are already in the table? for example in add_user, wherein Django files defined what it means and how it should work? – user907988 Dec 27 '18 at 10:25
  • @Ken4scholars as you can see in class permission comment it says:"it's not currently possible to say "Mary may only change news stories that have a certain status or publication date."", how can I make it possible? – user907988 Dec 27 '18 at 10:29
  • @Annabelle by default, the permissions framework generates add, update and delete permissions for all models defined. You are correct in that the existing permissions models is not fine-grained enough for record-level permissions. Since you included a DRF tag, I assume you're trying to realize this for an API. You can roll out a custom logic for this without removing the existing Django permissions framework which works pretty well in the admin. – Ken4scholars Dec 27 '18 at 10:46
  • @Ken4scholars I didn't get this part of your answer" You can roll out a custom logic for this without removing the existing Django permissions framework which works pretty well in the admin" – user907988 Dec 27 '18 at 10:55
  • 1
    @Annabelle What I mean is that is that you can write a DRF permissions class which checks that the user has the permission to change objects of a particular status. The check could be on whether the user is admin or normal user. But then again if you need it to be fine-grained, you can create a separate class for the permissions and define as many as is needed. In essence, what I mean is that you can have them work side by side with the original permissions framework and not replace it – Ken4scholars Dec 27 '18 at 11:02
  • @Ken4scholars another problem I have is this that for purpose of my project I used a model folder instead of model.py file, now permission class cannot auto-generate add/change/delete/update of my models, how can I define where to look for my model? – user907988 Dec 27 '18 at 11:15
  • 1
    @Annabelle you should import all your models in the `__init__.py` file of the package. Check this out https://stackoverflow.com/questions/5534206/how-do-i-separate-my-models-out-in-django – Ken4scholars Dec 27 '18 at 11:25

1 Answers1

3

According to Edit 2 , I see that you have some business logic related to permissions check , have a look at django-rules , I think it's what you're looking for.

Haidar Zeineddine
  • 979
  • 1
  • 8
  • 20
  • Thank you, now I have a little problem can you help me with it first?"another problem I have is this that for purpose of my project I used a model folder instead of model.py file, now permission class cannot auto-generate add/change/delete/update of my models, how can I define where to look for my model?" – user907988 Dec 27 '18 at 11:17
  • 1
    Did you import the models inside the __init__.py in the models forlder ? https://docs.djangoproject.com/en/2.1/topics/db/models/#organizing-models-in-a-package – Haidar Zeineddine Dec 27 '18 at 11:26