There is a couple of models in auth application to check user permissions in Django. But sometimes we need to grant permissions per instance, not per model. Example:
*class Employee(django.contrib.auth.models.User): pass class Task(models.Model): summary = models.CharField(max_length=50) description = models.TextField() status = models.IntegerField(choices=TASK_STATUS) author = models.ForeignKey(Employee) responsible = models.ForeignKey(Employee) attendees = models.ManyToManyField(Employee) * We need the author to be able to edit summary and description, responsible to be able to change attendees, and attendees to be able to change status. We may want to change this rules in the future. For now, I wrote some methods in Employee class, like this: * def can_edit_task(self, task): return task.author==self def can_edit_status(self, task): return self in task.attendees *...and so on Next, we don't want 'edit' and 'change status' links to always appear on task detail page, so we pass 'can_edit' and 'can_change_status' flags to the template. But we never trust the browser, so in views 'task_edit' and 'task_change_status' before displaying or processing the forms we check AGAIN if requester has such permissions: *def task_edit(request, task_id): task = get_object_or_404(Task, pk=task_id) if not request.user.employee.can_edit_task(task): render_to_response('denied.html', 'Only author of this task can change it') if request.method == 'POST': #...well, you know * I seem to repeat myself here twice. I can check auth-permissions in template if it's rendered in RequestContext (so I guess checking permissions in templates is not totally deprecated). But checking permissions for an instance means calling the function with parameter (which is not supported by Django templates). What is your best practice in such situations? -- regards, Mihail --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---