What does "does not offer any feature to get secure querysets." mean?

6 views
Skip to first unread message

Albert hpal

unread,
Apr 1, 2020, 8:13:01 PM4/1/20
to yourlabs

This means that the developper has to:

  • think about security when making queryset
There is a part in the docs that talks about the catch when using rules-light. I have failed to understand it. Can someone kindly elaborate on what secure querysets mean, and further highlight what are the cons of using django-rules instead

J. Pic

unread,
Apr 2, 2020, 7:05:59 AM4/2/20
to yourlabs
It means that it only checks per object permission.

You can see a recent proposal I made on Django forum that's related to that topic:


I don't use django-rules-light anymore, I prefer to implement an AuthBackend as described in the above post.

For securing querysets (filtering out results that a user can't see), I do that at the controller level (the Router class that sits in-between a model and its set of views) in CRUDLFA+.

Good luck
Reply all
Reply to author
Forward
0 new messages