I posted this to django-developers instead, so if you want to reply go
find that thread and do it there.
On Jun 23, 3:33 am, Andy Kelley <superjo...@gmail.com> wrote:
> God damn it, the most dangerous thing about Dvorak is hitting tab
> instead of or along with apostrophe. "don'<tab>t " translates into
> "don'" <send message>
>
> Anyways, I think this idea has merit - even alongside a role-based
> security system.
>
> Feedback?
>
> On Jun 23, 3:29 am, Andy Kelley <superjo...@gmail.com> wrote:
>
> > I am coming up with a framework that helps serialization of models. My
> > idea is for each field to have a view permissions level: PUBLIC,
> > OWNER, or ADMIN. I want to have a model to dict function that takes 2
> > arguments, permission_level and serialize_chain. Firstly, let me
> > explain how it would change models.py:
>
> > from django.db import models
> > from django.contrib.auth.models import User
> > class Profile(models.Model):
> > user = models.ForeignKey(User, permission=PUBLIC)
> > bio = models.TextField(permission=PUBLIC)
> > activated = models.BooleanField(default=False, permission=OWNER)
> > activate_code = models.CharField(max_length=256, permission=ADMIN)
> > pages_bookmarked = models.ManyToManyField('Page',
> > related_name='profile_pages_bookmarked', permission=OWNER)
>
> > So, in this example, let's think about when we serialize Profile into
> > a dictionary (for later turning into JSON for ajax). user is the only
> > special case, so skip that mentally for now. Anyone is able to view a
> > profile's bio. A person can view their own profile's activation status
> > and what pages they have bookmarked. But only the system can read the
> > activate_code. Of course the default value for permission would be
> > ADMIN, so you'd have to explicitly allow fields to be sent to the
> > browser.
>
> > OK, and how would the serialization work? Let's look at a view
> > function.
>
> > from django.shortcuts import get_object_or_404
> > from django.http import HttpResponse
> > import simplejson as json
>
> > def ajax_profile_info(request, id):
> > id = int(id)
> > profile = get_object_or_404(Profile, id=id)
> > # ok now we want to serialize profile for sending to json.
> > # let's say this is the ajax view for getting data about OTHER
> > people.
> > return json_response(profile.serialize(PUBLIC))
>
> > def json_response(data):
> > return HttpResponse(json.dumps(data), mimetype="text/plain")
>
> > So in this view, only fields with the PUBLIC will get rendered into
> > the dict. Let's say it was a view function for looking at a person's
> > own account settings. Then we would pass OWNER to the serialize
> > function and we would get all PUBLIC fields + OWNER fields.
>
> > OK that's dandy, but I have one other idea to make serialization
> > awesome. When you have models that foreignkey all over the place, it's
> > a pain to create a nice json object that follows the chain to the
> > exact depth that you want. So let me complicate the model a little
> > bit.
>
> > from django.db import models
> > from django.contrib.auth.models import User
>
> > class Profile(models.Model):
> > user = models.ForeignKey(User, permission=PUBLIC)
> > bio = models.TextField(permission=PUBLIC)
> > activated = models.BooleanField(default=False, permission=OWNER)
> > activate_code = models.CharField(max_length=256, permission=ADMIN)
> > books_read = models.ManyToManyField('Book',
> > related_name='profile_pages_bookmarked', permission=PUBLIC)
>
> > class Book(models.Model):
> > title = models.CharField(max_length=100, permission=PUBLIC)
> > protagonist = models.ForeignKey('Character', permission=PUBLIC)
> > language_used = models.ForeignKey('Language', permission=PUBLIC)
> > cover_art_plan = models.ForeignKey('CoverArtPlan',
> > permission=PUBLIC)
> > internal_admin_thing = models.IntegerField(permission=ADMIN)
>
> > class Character(models.Model):
> > name = models.CharField(max_length=100, permission=PUBLIC)
>
> > class Language(models.Model):
> > name = models.CharField(max_length=100, permission=PUBLIC)
>
> > class CoverArtPlan(models.Model):
> > name = models.CharField(max_length=100, permission=PUBLIC)
>
> > OK so let's say I'm making a page where we see all the books a person
> > has read (and the info about those books). Here's a view function:
>
> > def ajax_books_read(request, profile_id):
> > id = int(id)
> > profile = get_object_or_404(Profile, id=id)
> > return json_response(profile.serialize(PUBLIC),
> > ['books_read.protagonist', 'books_read.language_used'])
>
> > So this second argument, the serialize_chain, says that we want to
> > serialize profile into a dict, and the books_read field, instead of
> > containing a list of ids, should contain a list of serialized Books.
> > And since we have a dot there, when Profile passes it's serialization
> > request on to Book, it cuts off the "books_read." and passes the rest
> > to Book, so that book sees ['protagonist', 'language_used']. so when
> > Book serializes, its 'protagonist' field is the serialization of the
> > Character instead of just an id. Same for 'language_used'. However,
> > since cover_art_plan was not included, it is simply the id of the
> > CoverArtPlan instead of following the link. Also of note, since we
> > serialized with PUBLIC, internal_admin_thing is completely left out of
> > Book's serialized data.
>
> > A note about access levels: let's say Profile was serialized with
> > OWNER access, when it serializes its books_read, it doesn't pass
> > OWNER, it de-escalates the access level to PUBLIC. However if you
> > serialize Profile with ADMIN access, it does pass admin when it
> > serializes its links. Think about it; it makes sense.
>
> > Anyways, I would like to know if
>
> > 1) Does a solution like this already exist? and if not
> > 2) Is this cool enough to go into django core? or contrib or whatever.
>
> > I got some feedback from mattmcc in #django:
> > <mattmcc> superjoe: At first glance, I'd be more inclined to look at a
> > role-based access control mechanism that doesn't obligate hardcoding
> > permission levels on to model fields..
>
> > However I don'
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-us...@googlegroups.com.
To unsubscribe from this group, send email to
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en.
