View Permissions -- DJANGO
118 views
Skip to first unread message
Tameen Malik
Apr 18, 2014, 1:20:50 AM4/18/14
to django...@googlegroups.com
An old Query / I know that but need assistance! so dear django users see what i want to ask and what i did:
Story:
As django admin has three permissions in it's auth : add, change, delete! I want to add view permission in this auth in admin panel.I know i have to customize permissions to add view permission in 'auth|permission|can view permission' to view all entries! but how ! for this i followed several patches uploaded by django project. one is 8 years old (https://code.djangoproject.com/ticket/820) and this one https://code.djangoproject.com/ticket/8936 is for databrowse functionality which i really don't need!.. finally i find this one see below:
NEEDED PATCH:
[X] 1. Added 'view' to default permission list
#./contrib/auth/management/init.py
def _get_all_permissions(opts):
"Returns (codename, name) for all permissions in the given opts."
perms = []
for action in ('add', 'change', 'delete', 'view'):
perms.append((_get_permission_codename(action, opts), u'Can %s %s' % (action, opts.verbose_name_raw)))
return perms + list(opts.permissions)
[X] 2. Test the 'view' permission is added to all models
run manage.py syncdb
I confirmed that view permission is now added for all tables in the auth_permissions table
[X] 3. Add "get\_view_permission" to default model class.
Added get\_view_permission to the model class. You can find this in the file ./db/models/options.py This is used by the admin class in the next step.
def get_view_permission(self):
return 'view_%s' % self.object_name.lower()
[X] 4. Add "has\_view_permission" to default admin class
Just to be consistent I'm going to add "has\_view_permission" to the system. Looks like it should be somewhere in *contrib/admin/options.py*. Made sure if the user has has change permission, then view permissions are automatically implied.
# /contrib/admin/options.py
# Added has_view_permissions
def has_view_permission(self, request, obj=None):
"""
Returns True if the given request has permission to change or view
the given Django model instance.
If obj is None, this should return True if the given request has
permission to change *any* object of the given type.
"""
opts = self.opts
return self.has_change_permission(request, obj) or \
request.user.has_perm(opts.app_label + '.' + opts.get_view_permission())
# modified get_model_perms to include 'view' too.
# No idea where this may be used, but trying to stay consistent
def get_model_perms(self, request):
"""
Returns a dict of all perms for this model. This dict has the keys
add, change, and delete and view mapping to the True/False
for each of those actions.
"""
return {
'add': self.has_add_permission(request),
'change': self.has_change_permission(request),
'delete': self.has_delete_permission(request),
'view': self.has_view_permission(request),
}
# modified response_add function to return the user to the mode list
# if they added a unit and have view rights
...
else:
self.message_user(request, msg)
# Figure out where to redirect. If the user has change permission,
# redirect to the change-list page for this object. Otherwise,
# redirect to the admin index.
#if self.has_change_permission(request, None):
if self.has_change_permission(request, None) or self.has_view_permission(request, None):
post_url = '../'
else:
post_url = '../../../'
return HttpResponseRedirect(post_url)
# modified the change_view function so it becomes the details
# for users with view permission
#if not self.has_change_permission(request, obj):
if not (self.has_change_permission(request, obj) or (self.has_view_permission(request, obj) and not request.POST)):
raise PermissionDenied
# modified the changelist_view function so it shows the list of items
# if you have view permissions
def changelist_view(self, request, extra_context=None):
"The 'change list' admin view for this model."
from django.contrib.admin.views.main import ChangeList, ERROR_FLAG
opts = self.model._meta
app_label = opts.app_label
#if not self.has_change_permission(request, None):
if not (self.has_change_permission(request, None) or self.has_view_permission(request, None)):
raise PermissionDenied
[X] 5. Update default template to list models if user has view permission
I modified the default template in contrib/admin/templates/admin/
Story:
As django admin has three permissions in it's auth : add, change, delete! I want to add view permission in this auth in admin panel.I know i have to customize permissions to add view permission in 'auth|permission|can view permission' to view all entries! but how ! for this i followed several patches uploaded by django project. one is 8 years old (https://code.djangoproject.com/ticket/820) and this one https://code.djangoproject.com/ticket/8936 is for databrowse functionality which i really don't need!.. finally i find this one see below:
NEEDED PATCH:
[X] 1. Added 'view' to default permission list
#./contrib/auth/management/init.py
def _get_all_permissions(opts):
"Returns (codename, name) for all permissions in the given opts."
perms = []
for action in ('add', 'change', 'delete', 'view'):
perms.append((_get_permission_codename(action, opts), u'Can %s %s' % (action, opts.verbose_name_raw)))
return perms + list(opts.permissions)
[X] 2. Test the 'view' permission is added to all models
run manage.py syncdb
I confirmed that view permission is now added for all tables in the auth_permissions table
[X] 3. Add "get\_view_permission" to default model class.
Added get\_view_permission to the model class. You can find this in the file ./db/models/options.py This is used by the admin class in the next step.
def get_view_permission(self):
return 'view_%s' % self.object_name.lower()
[X] 4. Add "has\_view_permission" to default admin class
Just to be consistent I'm going to add "has\_view_permission" to the system. Looks like it should be somewhere in *contrib/admin/options.py*. Made sure if the user has has change permission, then view permissions are automatically implied.
# /contrib/admin/options.py
# Added has_view_permissions
def has_view_permission(self, request, obj=None):
"""
Returns True if the given request has permission to change or view
the given Django model instance.
If obj is None, this should return True if the given request has
permission to change *any* object of the given type.
"""
opts = self.opts
return self.has_change_permission(request, obj) or \
request.user.has_perm(opts.app_label + '.' + opts.get_view_permission())
# modified get_model_perms to include 'view' too.
# No idea where this may be used, but trying to stay consistent
def get_model_perms(self, request):
"""
Returns a dict of all perms for this model. This dict has the keys
add, change, and delete and view mapping to the True/False
for each of those actions.
"""
return {
'add': self.has_add_permission(request),
'change': self.has_change_permission(request),
'delete': self.has_delete_permission(request),
'view': self.has_view_permission(request),
}
# modified response_add function to return the user to the mode list
# if they added a unit and have view rights
...
else:
self.message_user(request, msg)
# Figure out where to redirect. If the user has change permission,
# redirect to the change-list page for this object. Otherwise,
# redirect to the admin index.
#if self.has_change_permission(request, None):
if self.has_change_permission(request, None) or self.has_view_permission(request, None):
post_url = '../'
else:
post_url = '../../../'
return HttpResponseRedirect(post_url)
# modified the change_view function so it becomes the details
# for users with view permission
#if not self.has_change_permission(request, obj):
if not (self.has_change_permission(request, obj) or (self.has_view_permission(request, obj) and not request.POST)):
raise PermissionDenied
# modified the changelist_view function so it shows the list of items
# if you have view permissions
def changelist_view(self, request, extra_context=None):
"The 'change list' admin view for this model."
from django.contrib.admin.views.main import ChangeList, ERROR_FLAG
opts = self.model._meta
app_label = opts.app_label
#if not self.has_change_permission(request, None):
if not (self.has_change_permission(request, None) or self.has_view_permission(request, None)):
raise PermissionDenied
[X] 5. Update default template to list models if user has view permission
I modified the default template in contrib/admin/templates/admin/
index.html.
This could also be handled by copying the file to the local templates
directory instead. I made changes in both so I have a copy if a later
upgrade overwrites my changes.
{% for model in app.models %}
<tr>
{% if model.perms.change %}
<th scope="row"><a href="{{ model.admin_url }}">{{ model.name }}</a></th>
{% else %}
{% if model.perms.view %}
<th scope="row"><a href="{{ model.admin_url }}">{{ model.name }}</a></th>
{% else %}
<th scope="row">{{ model.name }}</th>
{% endif %}
{% endif %}
[X] 6. Confirm user can "view" but not "change" the model
Found contrib/admin/templatetags/admin_modify.py appears to control save / save and continue buttons appearing or not. Changed "save" field from default of always True, to check for context and permissions. User should be able to save if they have change or add permissions.
'show_save': (change and contexthas_change_permission?) or (contextadd? and contexthas_add_permission?)
[X] 7. Remove "Save and Add another" button if user is viewing an item
Modified contrib/admin/templatetags/admin_modify.py again. I don't know what 'save_as' means so maybe I broke something, but it seems to work.
#'show_save_and_add_another': contexthas_add_permission? and
# not is_popup and (not save_as or contextadd?) ,
'show_save_and_add_another': not is_popup and
(( change and contexthas_change_permission?) or (contextadd? and contexthas_add_permission?))
and
(not save_as or contextadd?),
[X] 8. Modify "view" permission to make form read only
If the user has "view" permission and "change" permission, then do nothing. Change overrides view.
If the user has "view" permission without "change" then change the default forms and add DISABLED or READONLY attributes to the form elements. Not all browsers support this, but for my purposes I can require that users use the right one. [Disabled / Readonly example][1]
Found that not all browsers honor "readonly" so it sets some controls to readonly, others to disabled. This allows users to copy data from the text controls if needed.
#/django/contrib/admin/templates/admin/change_form.html
{# JavaScript for prepopulated fields #}
{% prepopulated_fields_js %}
</div>
</form></div>
{% if has_view_permission and not has_change_permission %}
<script type="text/javascript">
jQuery('input:text').attr('readonly', 'readonly');
jQuery('textarea').attr('readonly', 'readonly');
jQuery('input:checkbox').attr('disabled', true);
jQuery('select').attr('disabled', true);
jQuery('.add-another').hide();
</script>
{% endif %}
PATCH SOURCE : http://stackoverflow.com/questions/1336382/how-can-i-modify-django-to-create-view-permission/1348076#1348076
Question:
After following above answer i have done and can see this 127.0.0.1:8000/en-us/admin/ page as read-only but the users in users is not visible 127.0.0.1:8000/en-us/admin/user and auth/users page is not linked with /auth url! strange but it is! . Need help!
{% for model in app.models %}
<tr>
{% if model.perms.change %}
<th scope="row"><a href="{{ model.admin_url }}">{{ model.name }}</a></th>
{% else %}
{% if model.perms.view %}
<th scope="row"><a href="{{ model.admin_url }}">{{ model.name }}</a></th>
{% else %}
<th scope="row">{{ model.name }}</th>
{% endif %}
{% endif %}
[X] 6. Confirm user can "view" but not "change" the model
Found contrib/admin/templatetags/admin_modify.py appears to control save / save and continue buttons appearing or not. Changed "save" field from default of always True, to check for context and permissions. User should be able to save if they have change or add permissions.
'show_save': (change and contexthas_change_permission?) or (contextadd? and contexthas_add_permission?)
[X] 7. Remove "Save and Add another" button if user is viewing an item
Modified contrib/admin/templatetags/admin_modify.py again. I don't know what 'save_as' means so maybe I broke something, but it seems to work.
#'show_save_and_add_another': contexthas_add_permission? and
# not is_popup and (not save_as or contextadd?) ,
'show_save_and_add_another': not is_popup and
(( change and contexthas_change_permission?) or (contextadd? and contexthas_add_permission?))
and
(not save_as or contextadd?),
[X] 8. Modify "view" permission to make form read only
If the user has "view" permission and "change" permission, then do nothing. Change overrides view.
If the user has "view" permission without "change" then change the default forms and add DISABLED or READONLY attributes to the form elements. Not all browsers support this, but for my purposes I can require that users use the right one. [Disabled / Readonly example][1]
Found that not all browsers honor "readonly" so it sets some controls to readonly, others to disabled. This allows users to copy data from the text controls if needed.
#/django/contrib/admin/templates/admin/change_form.html
{# JavaScript for prepopulated fields #}
{% prepopulated_fields_js %}
</div>
</form></div>
{% if has_view_permission and not has_change_permission %}
<script type="text/javascript">
jQuery('input:text').attr('readonly', 'readonly');
jQuery('textarea').attr('readonly', 'readonly');
jQuery('input:checkbox').attr('disabled', true);
jQuery('select').attr('disabled', true);
jQuery('.add-another').hide();
</script>
{% endif %}
PATCH SOURCE : http://stackoverflow.com/questions/1336382/how-can-i-modify-django-to-create-view-permission/1348076#1348076
Question:
After following above answer i have done and can see this 127.0.0.1:8000/en-us/admin/ page as read-only but the users in users is not visible 127.0.0.1:8000/en-us/admin/user and auth/users page is not linked with /auth url! strange but it is! . Need help!
Reply all
Reply to author
Forward
0 new messages