Django group permissions for specific model

Question

I'm working on a website for my neighbor, and I was almost completely done. But he added one more feature that I can't seem to wrap my head around building. The feature in itself is pretty simple, and I already have it written. He just wanted a photo gallery with albums. Each vendor on his site would have their own album.

But the problem I'm having is that he wants specific users from each vendor to be able to access the CRUD for these albums, and not anything else. If I try to do this in django admin, then the user gets access to other albums that aren't theirs. So I need to create some permissions. Can I use group permissions in django to do this, because the permissions in django are pretty general and not specific to their vendor name or any other models. I only want them to be able to access and add new items under their vendor name. Or do I need to use some other tool, and create another view?

Models.py for reference:

class Vendor(models.Model):
    name = models.CharField(max_length=100)
    slug = models.SlugField(max_length=200, unique=True, null=True)
    website = models.CharField(max_length=256)
    city = models.CharField(max_length=100)
    state = models.CharField(max_length=3)
    vendor_email = models.CharField(max_length=100)
    images = models.ImageField(upload_to='vendor_images', blank='img/92-thumb.jpg')
    description = models.TextField()

    def __str__(self):
        return self.name

    def save(self, *args, **kwargs):
        # just check if product_model or vendor.name has changed
        self.slug = slugify(self.name)
        super(Vendor, self).save(*args, **kwargs)

class VendorAlbum(models.Model):
    vendor = models.ForeignKey(Vendor, on_delete=models.PROTECT, related_name='vendor')
    title = models.CharField(max_length=70)
    description = models.TextField(max_length=1024)
    thumb = ProcessedImageField(upload_to='albums', processors=[ResizeToFit(800)], format='JPEG',
                                options={'quality': 90})
    tags = models.CharField(max_length=250)
    is_visible = models.BooleanField(default=True)
    created = models.DateTimeField(auto_now_add=True)
    modified = models.DateTimeField(auto_now_add=True)
    slug = models.SlugField(max_length=50, unique=True)

    def __str__(self):
        return self.title


class VendorAlbumImage(models.Model):
    image = ProcessedImageField(upload_to='albums', processors=[ResizeToFit(1920)], format='JPEG',
                                options={'quality': 70})
    thumb = ProcessedImageField(upload_to='albums', processors=[ResizeToFit(800)], format='JPEG',
                                options={'quality': 80})
    album = models.ForeignKey(VendorAlbum, on_delete=models.PROTECT)
    alt = models.CharField(max_length=255, default=uuid.uuid4)
    created = models.DateTimeField(auto_now_add=True)
    width = models.IntegerField(default=0)
    height = models.IntegerField(default=0)
    slug = models.SlugField(max_length=70, default=uuid.uuid4, editable=False)

    def __str__(self):
        return self.alt

score 0 · Accepted Answer · answered May 03 '19 at 15:33

0

As you're using a dynamic item such as the albums, you should better filter inside the views only the albums related to the specific vendor before you show it in the crud templates, it won be using Django permissions but instead control from the views.

answered May 03 '19 at 15:33

jsanchezs

1,992
3
25
51

1

Thanks and Understood. Is this the most efficient way though? My issue with this is that is essentially a self-provisioned portal. So I need to make it as easy for them as possible. And I'm not going to maintain it after the site is built. I'll investigate this further though. – Justin Boucher May 03 '19 at 15:37
Ok...I think I see it now. Add a group to the album model. And when a vendor is added, override the save and add a django group with the vendor name. Then on the CRUD views of the album, have a template context to check if the authenticated user is a member of that group. Since this is a build, then forget I don't want the super admin to have to worry that much about internal things. This would also give vendors the ability to add multiple people to their group, so they can have more than one admin. Is this going down the right track of what you are mentioning? – Justin Boucher May 03 '19 at 15:45
That would be the method that uses Django permissions but you'll keep the fact that every vendor can alter all albums, in order to do it so vendors can only admin it's albums you can proceed as I told you. It's a good and efficient practice to solve what you need. Remember to check answer as correct if it helped you so it can help others that look the same further. – jsanchezs May 03 '19 at 15:54

Django group permissions for specific model

1 Answers1