On Thu, Aug 5, 2010 at 3:32 AM, lukaszb <lukaszbalcer...@gmail.com> wrote: > Thanks for the comment! I really do think that this "backends ready && > included" parts of Django are extremely useful (and fun to extend if > needed). > > About the admin, I haven't really get into admin integration yet as I > cannot answer this: should user with "flatpages.change_flatpage" > permission for flatpage instance be able to edit it at admin if he/she > doesn't have "flatpage.change_flatpage" global permission? I'm just > stuck here - I suppose it would be good to "turn off" ability to > change some objects for user with this global "app.change_obj" > permission removal. On the other hand, wouldn't it be too much to give > such global permission for user if we intend to allow him/her to > change only single object?
There are two possible readings of the global obj=None case. a) A user must have the global permission in order to be granted the permission for individual objects. This means that the global permission is a 'gatekeeper' of sorts for individual object permissions. b) The global permission is the 'fallback' permission if a specific object permssion doesn't exist. That is the obj=None permission is the "allow all" permission. My reading of the code and docs [1] [2] is that (b) is the intended interpretation. From a practical standpoint, this also makes sense: in the case of (a), there is no way to grant a wildcard permission. [1] http://docs.djangoproject.com/en/dev/topics/auth/#django.contrib.auth.models.User.has_perm [2] http://code.djangoproject.com/wiki/RowLevelPermissions So - in terms of the practical situation you describe; this means that a user can only edit a specific flatpage if they have the change permission for a specific instance, *or* they have the global obj=None permission. The issue that cascades on from this is the UX issue of how to represent an object that you can't edit. Should it be displayed, but not presented as a link? Should it be hidden entirely? Yours, Russ Magee %-) -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-us...@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
