Why doesn't Django have permission to view?

Question

Why doesn't Django have permission to view?

I have an active Django project where the admin panel is used by the customer support team. There is no permission in Django viewdue to which I have to assign change permission to the customer support team, which is a little dangerous. I have some models for which the customer support team only needs access to the view, and not access to changes due to security issues. Why is there no permission in Django view? Any workaround for this?

+4

python django django-models django-admin django-views

anon Oct 19 '15 at 3:43

source share

2 answers

pista329 · Answer 1 · 2015-10-19T13:55:53+0000

Here is a workaround.

Models

, mixin:

class ViewPermissionsMixin(models.Model):
    """
        Mixin adds view permission to model.
    """
    class Meta:
        abstract=True
        default_permissions = ('add', 'change', 'delete', 'view')

:

class ExampleModel(ViewPermissionsMixin):
    name = models.CharField(max_length=255)

    class Meta(ViewPermissionsMixin.Meta):
        abstract = False

, /. .

:

class AdminViewMixin(admin.ModelAdmin):

    def has_perm(self,user,permission):
        """
            Usefull shortcut for `user.has_perm()`
        """
        if user.has_perm("%s.%s_%s" % (self.model._meta.app_label,permission,self.model.__name__.lower(),)):
            return True
        return False

    def has_module_permission(self, request): # Django 1.8
        pass

    def has_change_permission(self, request, obj=None):
        """
            Necessary permission check to let Django show change_form for `view` permissions
        """
        if request.user.is_superuser:
            return True
        elif self.has_perm(request.user,'change'):
            return True
        elif self.has_perm(request.user,'view'):
            return True
        return super(AdminMixin, self).has_change_permission(request, obj)

    def get_readonly_fields(self, request, obj=None):
        """
            Turn each model field into read-only for `viewers`
        """
        all_model_fields = []
        for field in self.model._meta.fields:
            # TODO in Django 1.8 use ModelAdmin.get_fields()
            if not field.auto_created \
                and (not hasattr(field,'auto_now_add') or not field.auto_now_add) \
                and (not hasattr(field,'auto_now') or not field.auto_now) \
                :
                all_model_fields.append(field.name)
        if request.user.is_superuser:
            return self.readonly_fields
        elif self.has_perm(request.user,'change'):
            return self.readonly_fields
        elif self.has_perm(request.user,'view'):
            return all_model_fields
        return self.readonly_fields

    def change_view(self, request, object_id, extra_context=None):
        """
            Disable buttons for `viewers` in `change_view`
        """
        if request.user.is_superuser:
            pass
        elif self.has_perm(request.user,'change'):
            pass
        elif self.has_perm(request.user,'view'):
            extra_context = extra_context or {}
            extra_context['hide_save_buttons'] = True
        return super(AdminViewMixin, self).change_view(request, object_id, extra_context=extra_context)

admin:

@admin.register(models.ExampleModel)
class ExampleAdmin(AdminViewMixin):
    list_display = ('name',)
    pass

, view Django Admin.

JimmyYe · Answer 2 · 2015-10-19T04:30:08+0000

, :

1. "view", . fooobar.com/questions/167072/...

2. "":

class FooAdmin(ModelAdmin):
    def has_change_permission(self, request, obj=None):
        # user can view the change list
        if not obj and request.user.has_perm('myapp.view_foo'):
            return True
        # user can view the change form and change the obj
        return request.user.has_perm('myapp.change_foo')

Why doesn't Django have permission to view?

More articles: