AFAIK, permissions do not filter the queryset.
So, if i have to filter the queryset and return relevant records, what are permissions for? Is there something permission does which filtering cannot?
Asked
Active
Viewed 131 times
1 Answers
0
Let me give an example to explain the difference in a simple way. Assume that you want to build a student management system to be used by both teachers and students. You want to implement a web page that lists the students. But you want to adapt two restrictions while doing that:
If the logged-in user is a student, do not show any students as it might violate privacy. This can be done by Django's built-in permissions.
If the logged-in user is a teacher, do not list all students, but only who are registered to that teacher's course. This is object-level permission and Django does not have a built-in library for that. You can either implement this logic by yourself or use libraries such as django-guardian.
cagrias
- 1,847
- 3
- 13
- 24
-
Thanks for the reply. But my question is not regarding Django permissions vs django-guardian. I want to know why permissions have to be used at all. I could just do the above by fitering the queryset. I will edit the question to make it more clear, anyway. – Rounak May 29 '19 at 16:47
-
Django has a built-in authentication library, which includes User, Group and Permission classes. By creating your app's users by using that User class, you can easily isolate your models from the Users via Permissions. You can also implement this by verifying the user via reguest.user and filtering querysets by yourself. But this built-in permission approach of Django is fully tested, secured, easy to implement in single line of code. – cagrias May 29 '19 at 18:57
-
Thanks again. 'easy to implement' -- No. That is what made be question the utility of permissions. It's a pain to setup object-level permissions ( I followed this approach: https://pragmaticstartup.wordpress.com/2012/06/26/django-guardian-a-full-access-control-logic-acl-example/). Every single object when created will have to be assigned permissions for object-level permissions to work correctly. So there is extra work while creating a record as also extra storage needs since a record for permission is being created separately, not to mention the overhead of managing Groups correctly. – Rounak May 30 '19 at 06:02
-
Imagine you have a huge application with several numbers of roles and users. Without even changing your code, you can create more other roles and assign custom policies to them (you even do not need to implement an interface for that, django has a built in admin page that you can deal with User, Group and Permission), or edit permissions of your existing roles etc. Providing permissions by filtering the queryset would require dozens of controls in order to designate the correct level of permission of the role of your users. – cagrias May 30 '19 at 06:08