What does "does not offer any feature to get secure querysets." mean?

8 views

Skip to first unread message

Albert hpal

unread,

Apr 1, 2020, 8:13:01 PM4/1/20

to yourlabs

This means that the developper has to:

think about security when making queryset

There is a part in the docs that talks about the catch when using rules-light. I have failed to understand it. Can someone kindly elaborate on what secure querysets mean, and further highlight what are the cons of using django-rules instead

J. Pic

unread,

Apr 2, 2020, 7:05:59 AM4/2/20

to yourlabs

It means that it only checks per object permission.

You can see a recent proposal I made on Django forum that's related to that topic:

https://forum.djangoproject.com/t/extend-permission-backend-with-get-queryset-user-model/819

I don't use django-rules-light anymore, I prefer to implement an AuthBackend as described in the above post.

For securing querysets (filtering out results that a user can't see), I do that at the controller level (the Router class that sits in-between a model and its set of views) in CRUDLFA+.