Lack of View permission in Django
20 views
Skip to first unread message
Ankit Agrawal
Oct 18, 2015, 2:03:31 PM10/18/15
to Django users
I have an active Django project where the admin panel is used by the customer support team. I have two questions -
1. Django lacks a `view` permission because of which I have to assign the change permission to the customer support team which is slightly dangerous. I have some models for which the customer support team needs just the view access and not the change access because of security issues. Any workaround to this?
2. Although the admin panel can be used as a CRM, are there any popular CRM django apps than can be used instead of the admin panel?
Mike Dewhirst
Oct 18, 2015, 8:19:43 PM10/18/15
to django...@googlegroups.com
On 19/10/2015 5:03 AM, Ankit Agrawal wrote:
> I have an active Django project where the admin panel is used by the
> customer support team. I have two questions -
>
> 1. Django lacks a `view` permission because of which I have to assign
> the change permission to the customer support team which is slightly
> dangerous. I have some models for which the customer support team needs
> just the view access and not the change access because of security
> issues. Any workaround to this?
Yes. You need to make the sensitive fields - or all fields - readonly in
> I have an active Django project where the admin panel is used by the
> customer support team. I have two questions -
>
> 1. Django lacks a `view` permission because of which I have to assign
> the change permission to the customer support team which is slightly
> dangerous. I have some models for which the customer support team needs
> just the view access and not the change access because of security
> issues. Any workaround to this?
the admin depending on some property of the user. In my case "open data"
is read-only for all users except for members of the company which owns
the data ie., the user (or user_profile) with full access has a foreign
key to the company concerned. But the result of any callable will do.
def open_data(self, request, obj=None):
"""Return the regular readonly fields or all fields as readonly if
the user is not a member of the company which owns the substance.
https://docs.djangoproject.com/en/1.7/ref/contrib/admin/#django.contrib.admin.ModelAdmin.get_readonly_fields
self is the admin.StackedInline instance
obj is the admin.ModelAdmin instance
"""
if not obj:
# some fields are readonly under all circumstances
return self.readonly_fields
else:
if obj.company == get_user_company(request.user):
return self.readonly_fields
else:
return self.model._meta.get_all_field_names()
So in admin.py ...
1. Nominate the permanently readonly fields as per the Admin docs
2. After readonly_fields make get_readonly_fields = open_data
>
> 2. Although the admin panel can be used as a CRM, are there any popular
> CRM django apps than can be used instead of the admin panel?
>
> You received this message because you are subscribed to the Google
> Groups "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to django-users...@googlegroups.com
> <mailto:django-users...@googlegroups.com>.
> To post to this group, send email to django...@googlegroups.com
> <mailto:django...@googlegroups.com>.
> Visit this group at http://groups.google.com/group/django-users.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/6ac40e1a-d3e7-492f-9589-388ee95978db%40googlegroups.com
> <https://groups.google.com/d/msgid/django-users/6ac40e1a-d3e7-492f-9589-388ee95978db%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages