I have a Django class based view in which I am using the PermissionRequiredMixin. I would like a user who has at least one of the permissions in the permissions_required attribute to be able to access the view. From the Django documentation:
The decorator may also take an iterable of permissions, in which case the user must have all of the permissions in order to access the view.
So, if User1 has permission, "add_polls" and User2 has "change_polls", and I have a form view that lets a user add a poll and another view that lets a user change a poll (with permissions_required="add_polls" and permissions_required="change_polls" on each of those views, respectively), it works great. But, what if I have an interim page/view that has links to both of those views with permissions_required = ("add_polls", "change_polls") that I need the user to pass through first? Now, neither user will be able to access to that page because the users only have access to one or the other permission, not both - if I understand the documentation correctly, a user will need BOTH those permissions to access the interim page. If I did give both users access to both those permissions so they could access the interim page, this would then give both users access to both the add and change polls as well which I don't want.
Will I need to write a custom authorization to handle this, or am I missing something simple?
One possible solution would be to create another privilege - something like "interim-polls" which would be the permissions_required on the interim view. User1 would be assigned "add-polls" and "interim-polls", and User2 would be assigned "change-polls" and "interim-polls".
This would work, but is there an easier or more intuitive way than to have to add additional permissions? Maybe a way to specify that only one item in the list of "permissions_required" is actually required to access the form instead of all of them? i.e. permission1 OR permission2 as opposed to permission1 AND permission2 required to access the view.
Thank you for any insight.
[Edit - adding additional information] I'll use some pseudocode here to give an idea of the views:
class ChooseAddorEdit(LoginRequiredMixin, PermissionRequiredMixin, TemplateView):
permission_required=('app.add_item', 'app.change_item')
Display Add (links to AddItem) or Edit (links to EditItem) Links
...
class AddItemFormView(LoginRequiredMixin, PermissionRequiredMixin, CreateView):
permission_required='app.add_item'
Manages form to add an item
...
class EditItemFormView(LoginRequiredMixin, PermissionRequiredMixin, UpdateView):
permission_required='app.change_item'
Manages form to edit an item
...
The user would be required to have both permissions to access the ChooseAddorEdit view. If the user has both permissions, then that user can access both the Add and Edit views. What I would like to accomplish some users to be able to only add items and other users to be able to only edit items, but still be able to see the ChooseAddorEdit view.
As I mentioned above, this could be accomplished by adding another custom permission in the model's Meta: but is there a way to accomplish this without adding yet more individual permissions and using the ones available?
