God damn it, the most dangerous thing about Dvorak is hitting tab
instead of or along with apostrophe. "don'<tab>t " translates into
"don'" <send message>
Anyways, I think this idea has merit - even alongside a role-based
security system.
Feedback?
On Jun 23, 3:29 am, Andy Kelley <superjo...@gmail.com> wrote:
> I am coming up with a framework that helps serialization of models. My
> idea is for each field to have a view permissions level: PUBLIC,
> OWNER, or ADMIN. I want to have a model to dict function that takes 2
> arguments, permission_level and serialize_chain. Firstly, let me
> explain how it would change models.py:
>
> from django.db import models
> from django.contrib.auth.models import User
> class Profile(models.Model):
> user = models.ForeignKey(User, permission=PUBLIC)
> bio = models.TextField(permission=PUBLIC)
> activated = models.BooleanField(default=False, permission=OWNER)
> activate_code = models.CharField(max_length=256, permission=ADMIN)
> pages_bookmarked = models.ManyToManyField('Page',
> related_name='profile_pages_bookmarked', permission=OWNER)
>
> So, in this example, let's think about when we serialize Profile into
> a dictionary (for later turning into JSON for ajax). user is the only
> special case, so skip that mentally for now. Anyone is able to view a
> profile's bio. A person can view their own profile's activation status
> and what pages they have bookmarked. But only the system can read the
> activate_code. Of course the default value for permission would be
> ADMIN, so you'd have to explicitly allow fields to be sent to the
> browser.
>
> OK, and how would the serialization work? Let's look at a view
> function.
>
> from django.shortcuts import get_object_or_404
> from django.http import HttpResponse
> import simplejson as json
>
> def ajax_profile_info(request, id):
> id = int(id)
> profile = get_object_or_404(Profile, id=id)
> # ok now we want to serialize profile for sending to json.
> # let's say this is the ajax view for getting data about OTHER
> people.
> return json_response(profile.serialize(PUBLIC))
>
> def json_response(data):
> return HttpResponse(json.dumps(data), mimetype="text/plain")
>
> So in this view, only fields with the PUBLIC will get rendered into
> the dict. Let's say it was a view function for looking at a person's
> own account settings. Then we would pass OWNER to the serialize
> function and we would get all PUBLIC fields + OWNER fields.
>
> OK that's dandy, but I have one other idea to make serialization
> awesome. When you have models that foreignkey all over the place, it's
> a pain to create a nice json object that follows the chain to the
> exact depth that you want. So let me complicate the model a little
> bit.
>
> from django.db import models
> from django.contrib.auth.models import User
>
> class Profile(models.Model):
> user = models.ForeignKey(User, permission=PUBLIC)
> bio = models.TextField(permission=PUBLIC)
> activated = models.BooleanField(default=False, permission=OWNER)
> activate_code = models.CharField(max_length=256, permission=ADMIN)
> books_read = models.ManyToManyField('Book',
> related_name='profile_pages_bookmarked', permission=PUBLIC)
>
> class Book(models.Model):
> title = models.CharField(max_length=100, permission=PUBLIC)
> protagonist = models.ForeignKey('Character', permission=PUBLIC)
> language_used = models.ForeignKey('Language', permission=PUBLIC)
> cover_art_plan = models.ForeignKey('CoverArtPlan',
> permission=PUBLIC)
> internal_admin_thing = models.IntegerField(permission=ADMIN)
>
> class Character(models.Model):
> name = models.CharField(max_length=100, permission=PUBLIC)
>
> class Language(models.Model):
> name = models.CharField(max_length=100, permission=PUBLIC)
>
> class CoverArtPlan(models.Model):
> name = models.CharField(max_length=100, permission=PUBLIC)
>
> OK so let's say I'm making a page where we see all the books a person
> has read (and the info about those books). Here's a view function:
>
> def ajax_books_read(request, profile_id):
> id = int(id)
> profile = get_object_or_404(Profile, id=id)
> return json_response(profile.serialize(PUBLIC),
> ['books_read.protagonist', 'books_read.language_used'])
>
> So this second argument, the serialize_chain, says that we want to
> serialize profile into a dict, and the books_read field, instead of
> containing a list of ids, should contain a list of serialized Books.
> And since we have a dot there, when Profile passes it's serialization
> request on to Book, it cuts off the "books_read." and passes the rest
> to Book, so that book sees ['protagonist', 'language_used']. so when
> Book serializes, its 'protagonist' field is the serialization of the
> Character instead of just an id. Same for 'language_used'. However,
> since cover_art_plan was not included, it is simply the id of the
> CoverArtPlan instead of following the link. Also of note, since we
> serialized with PUBLIC, internal_admin_thing is completely left out of
> Book's serialized data.
>
> A note about access levels: let's say Profile was serialized with
> OWNER access, when it serializes its books_read, it doesn't pass
> OWNER, it de-escalates the access level to PUBLIC. However if you
> serialize Profile with ADMIN access, it does pass admin when it
> serializes its links. Think about it; it makes sense.
>
> Anyways, I would like to know if
>
> 1) Does a solution like this already exist? and if not
> 2) Is this cool enough to go into django core? or contrib or whatever.
>
> I got some feedback from mattmcc in #django:
> <mattmcc> superjoe: At first glance, I'd be more inclined to look at a
> role-based access control mechanism that doesn't obligate hardcoding
> permission levels on to model fields..
>
> However I don'
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-us...@googlegroups.com.
To unsubscribe from this group, send email to
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en.
