Comments (10)
I've started work on Bridgekeeper, which is a library that takes a lot of inspiration from django-rules but operates on querysets. It's currently very early days; I literally started working on this in an internal company project a few weeks ago, and extracted it into an OSS project last week, and I'm still fleshing out missing bits of documentation, as well as changing the docs around a lot to try to figure out the best way to communicate stuff. (I'm also changing the names of concepts to hopefully make it easier to understand, so don't expect the API to be stable until at least sometime after Christmas.)
To cover off a few things discussed in this thread:
- Rules (the Bridgekeeper equivalent of django-rules' predicates) all provide a
filter()
method (which internally usesQ
objects), as well as acheck()
method which works a bit more like django-rules, returning a bool. Book.objects.visible_to(user, 'books.view_book')
is something you can do in Bridgekeeper, by attaching a Bridgekeeper-supplied manager class to your models.- You can't define arbitrary functions that depend on both the user and the object, like you can in django-rules (because of the two-different-methods restriction), but I've tried to provide enough rule classes to do most things (e.g. the
is_book_author
example would beAttribute('author', lambda user: user)
. The methods you need to override to write customRule
subclasses, if you really need to, are also part of the documented public API. - If you have rules that only depend on the user object, you can write them as a simple function and use the
@ambient
decorator to turn them into a rule object that satisfies thefilter()
/check()
API properly. - There's no attempt at compatibility with django-rules itself right now. However it'd be fairly simple to convert django-rules predicates which depend only on the user object into Bridgekeeper ambient rules, and I'd certainly consider adding django-rules compatibility down the track once Bridgekeeper itself has taken shape a bit more. (I should note here that I haven't actually used django-rules ever; I came across it recently, read the README, fell in love with the API, but couldn't use it because I needed QuerySet support right off the bat.)
- There's also no attempt at providing any convenience methods for Django REST Framework (although Bridgekeeper does provide a very similar
QuerySetPermissionMixin
for regular Django CBVs that call a.get_queryset()
method)
All in all, I think what I've built is sort of similar to what @jmbowman is suggesting in this thread, although not exactly the same. I'd be pretty keen for feedback from anyone interested in this use case (but probably at https://github.com/adambrenecki/bridgekeeper/issues or [email protected], so as not to derail this issue too much).
(PS: I hope I'm not too out of line here! I don't want to sound like I'm coming in to the issue tracker of a project that a lot of people have spent a lot of time and effort on and going "here use mine, it's better"; I'm only posting this because of the discussion in this ticket saying that this functionality belongs in a separate external library 🙂)
from django-rules.
I too was inspired by Django Rules and felt the need for filters. Before I saw this post I implemented "a django rules for filters" and it looks very similar to what @jmbowman posted above. I'm happy to report it works very nicely.
Internally at my company we've created a lib that bundles Rules and the aforementioned filters package into 1 library, along with helpers for django rest framework integration and it's been very useful.
I'd love to contribute to this project if that's what Django Rules would like to do. We really didn't want to create a packages as it'd require us to install 3 deps on every new project (1 for permissions, filters and a restframework bindings/companion). Having it all under 1 package has been very useful for allowing other devs to get started fast and read how it all works in 1 place.
from django-rules.
Yeah, I think this should go in a separate app and it actually wouldn't even need to depend on rules as far as I can see. If such a project did exist however, I'd be happy to collaborate and/or add any necessary hooks in rules for it to work.
On the idea itself, I don't really have anything of value to say, but I do like the idea of mapping dynamic Qs to simple strings (such as permissions) and don't consider the downsides you mention as blockers. I also think the filters needn't necessarily require a user, I believe such an API could work with any object being passed to a filter -- the only requirement would be for it to return a Q appropriate for the queryset at hand. You might also want to think about passing the queryset itself as a first argument too, as this could enable the filter to do more advanced stuff (like selecting only appropriate fields, doing subselects, etc).
from django-rules.
Ok, sounds good. I'm fleshing out a proposal for best practices in handling authorization in the assorted Open edX packages and services, and this came up as a gap in the existing packages. I'll drop the proposed API in that doc and see what we can get hashed out and implemented.
I guess it would be nice to have rules
as an optional dependency. I like the idea of reusing existing predicates which only depend on the user object, but you could certainly build a permission to Q object mapping without using them. May not need any specific changes in the rules
codebase to accommodate that, but I'll have to see how the implementation pans out.
from django-rules.
Has anyone found or developed a solution to securing / filtering querysets with rules? Or if not, can anyone suggest how to best accomplish this?
from django-rules.
Here's the proposal for a rules-based QuerySet filtering package that I mentioned above. I haven't actually needed to implement it yet, though.
from django-rules.
@Place1 can you share your code we are working on the exact same thing... Maybe as a gist for now so we can try it out internally...
from django-rules.
@codebreach I’d be very happy too. I’ll see what I can do.
from django-rules.
@Place1 any updates on your progress? I would be interested to see how it works :)
from django-rules.
@codebreach @Place1 i'm thinking of doing that, any gist just to get a feel of how complicated it is?
from django-rules.
Related Issues (20)
- Hide objects from changelist in admin if user has no view_permission HOT 1
- In views.py, I want users who belong to a specific group to be True.
- Equivalant of `rules.add_perm('model', rules.always_allow)` in model.Meta.rules_permissions HOT 1
- Many reader of an object HOT 3
- is this repository receiving updates? HOT 1
- Are the predicates defined on a model called automatically?
- 'permission_required' fails on anonymous view callbacks HOT 5
- Pass Payload into Predicate for POST HOT 2
- Django Rules with Non Auth User Model
- Support Django 4.0 HOT 5
- Alternative to `RulesModelBase` in DRF to manage dependency on this library. HOT 8
- Using `AND` (`&`) with a predicate that returns `None` incorrectly returns `True` HOT 5
- Remove Python 2 code
- Django: how does one know which permission failed on a particular request? HOT 1
- Django rules with abstract base class throw error after addition
- Predicate parameters HOT 2
- How do you map predicates to objects and/or users? HOT 1
- AttributeError: 'NoneType' when trying to access the admin panel view list HOT 1
- Passing the view's request or extra arguments to a predicate.
- Consider cutting a new release?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from django-rules.