Re: Permissions

James Bennett Fri, 19 Jun 2009 19:53:35 -0700

On Fri, Jun 19, 2009 at 6:35 PM, poop<alex.so...@gmail.com> wrote:
> Basically, I have a small CMS/publishing web app I have been working
> on for a few weeks.  It is coming together nicely (though getting
> LaTeX to play nice took longer than I expected).  Anyway, there is a
> notion of a "published" article, a "draft", and so on.  I would like
> to create permissions that allow staff members to view any article
> (published or draft, say).  But obviously, I would like everybody to
> be able to see a published article.  I do not want them to see drafts.


This is actually pretty easy to do.

Suppose you have a model setup like so (a simplified example to show
what I'm talking about):

class Article(models.Model):
    STATUS_PUBLISHED = 1
    STATUS_DRAFT = 2
    STATUS_CHOICES = ((STATUS_PUBLISHED, 'Published'),
                   (STATUS_DRAFT, 'Draft'))
    status = models.IntegerField(choices=STATUS_CHOICES)
    pub_date = models.DateTimeField()
    title = models.CharField(max_length=250)
    body = models.TextField()

...rest of model definition omitted...

Now, what you basically want is a bit of logic which modifies queries
based on user status. This would ideally go into a custom manager on
the model. Perhaps like so:

class ArticleManager(models.Manager):
    def viewable(self, user):
        return user.is_staff and self.all() or
self.filter(status=self.model.STATUS_PUBLISHED)

So now you add to your model class:

objects = ArticleManager()

And in views you simply use this method. Suppose you want a view which
shows articles published in 2009:

Article.objects.viewable(request.user).filter(pub_date__year=2009)

Et voila: it automatically filters correctly. And of course you can
apply this to generic views by writing a short wrapper which
calculates the correct queryset to pass in. And the query logic is
encapsulated where it belongs, and you don't have to shove permission
checks all over the place.


-- 
"Bureaucrat Conrad, you are technically correct -- the best kind of correct."

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Re: Permissions

Reply via email to