There is a couple of models in auth application to check user permissions in
Django. But sometimes we need to grant permissions per instance, not per
model.
Example:

*class Employee(django.contrib.auth.models.User):
  pass
class Task(models.Model):
  summary = models.CharField(max_length=50)
  description = models.TextField()
  status = models.IntegerField(choices=TASK_STATUS)
  author = models.ForeignKey(Employee)
  responsible = models.ForeignKey(Employee)
  attendees = models.ManyToManyField(Employee)
*
We need the author to be able to edit summary and description, responsible
to be able to change attendees, and attendees to be able to change status.
We may want to change this rules in the future.
For now, I wrote some methods in Employee class, like this:

*  def can_edit_task(self, task): return task.author==self
  def can_edit_status(self, task): return self in task.attendees
*...and so on

Next, we don't want 'edit' and 'change status' links to always appear on
task detail page, so we pass 'can_edit' and 'can_change_status' flags to the
template. But we never trust the browser, so in views 'task_edit' and
'task_change_status' before displaying or processing the forms we check
AGAIN if requester has such permissions:

*def task_edit(request, task_id):
  task = get_object_or_404(Task, pk=task_id)
  if not request.user.employee.can_edit_task(task):
    render_to_response('denied.html', 'Only author of this task can change
it')
  if request.method == 'POST':
    #...well, you know
*
I seem to repeat myself here twice. I can check auth-permissions in template
if it's rendered in RequestContext (so I guess checking permissions in
templates is not totally deprecated). But checking permissions for an
instance means calling the function with parameter (which is not supported
by Django templates).

What is your best practice in such situations?

-- 
regards,
Mihail

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to