Задать вопрос

Тел: +7 965 3737 888

472

Просмотров

8

Ответов

FieldLevelPermissionsAdmin

<p>Have you ever needed to customize permissions, for example, allow only some fields for editing by some group of users, display some fields as read-only, and some to hide completely?
FieldLevelPermissionsAdmin class does this for newforms-admin branch.
Not tested well yet (&gt;100 LOC!).</p>
<p>You typically would like to use it this way:</p>
class MyObjectAdmin(FieldLevelPermissionsAdmin):

    def can_view_field(self, request, object, field_name):
        """
        Boolean method, returning True if user allowed to view
        field with name field_name.
        user is stored in the request object,
        object is None only if object does not exist yet
        """
        ...your code...

    def can_change_field(self, request, object, field_name):
        """
        Boolean method, returning True if user allowed to
        change field with name field_name.
        user is stored in the request object,
        object is None only if object does not exist yet
        """
        ...your code...

    def queryset(self, request):
        """ 
        Method of ModelAdmin, override it if you want to change
        list of objects visible by the current user.
        """
        mgr = self.model._default_manager
        if request.user.is_superuser:
            return mgr.all()
        filters = Q(creator=request.user)|Q(owner=request.user)
        return mgr.filter(filters)

Вопрос полезен? Да0/Нет0
file_2829.py(8.6Кб)
None

Ответы (8):

Ответmikeamy:09.10.2008
Ответ полезен? Да0/Нет0

BTW the variables are _action, _object and _request.

really the formfield_for_dbfield and a bunch of other methods should pass the request around. But that would take a refactoring of the django admin.

Ответmikeamy:09.10.2008
Ответ полезен? Да0/Нет0

Is there a potential race condition with this?

The code is setting temporary properties on the admin instance. Say some ordinary user logs in and wants to view an admin page. The code sets the temporary variables on their FieldLevelPermissionsAdmin so that, for example, they can't change anything.

Simultaneously, a superuser views the page. The code sets their temporary variables on the same FieldLevelPermissionsAdmin, so that they can see and change everything. This happens before the code for the first user gets to choose formfields.

So what happens is that both users will get superuser access - ie both get to see and change all the fields.

It wouldn't happen often, but that just makes it harder to debug.

Or did I miss something?

Ответburiy:05.10.2008
Ответ полезен? Да0/Нет0

Ehmmm... snippet was truncated.... fixed.

Can't tell if it's working now as I don't use this code anymore. It was from last version, 1.0b2-compatible

Ответtomz:27.09.2008
Ответ полезен? Да0/Нет0

I am unable to get this running on Django 1.0.

'MyAdmin' object has no attribute '_request'

Ответdimus:05.05.2008
Ответ полезен? Да0/Нет0

Is there any solution to make the same field behavoir on default Django-admin (not newforms-admin)?

Ответburiy:28.09.2007
Ответ полезен? Да0/Нет0

Fixed to be compatible with trunk

Ответburiy:12.09.2007
Ответ полезен? Да0/Нет0

Oops, actually, you are right, and I meant that really. Changed.

Ответarchatas:12.09.2007
Ответ полезен? Да0/Нет0

Actually, what you have implemented is field-level permission management. Row-level permissions deal with specific records in the database, but not with the fields of all records.