Comments (8)
You probably missed to subclass ObjectPermissionsModelAdmin: https://github.com/dfunckt/django-rules#rules-and-permissions-in-the-admin
from django-rules.
Unfortunately, that's not it.
from django-rules.
Hmm, have you configured AUTHENTICATION_BACKENDS as per https://github.com/dfunckt/django-rules#checking-for-permission? Also, is your PersonModelAdmin subclassing several classes besides ObjectPermissionsModelAdmin by any chance?
from django-rules.
Oh wait, I just realised you're trying to access the created instance when adding an instance via the admin. This won't work, and is expected -- the Person instance hasn't even been created at the time Django asks for permission -- i.e. myapp.add_person
.
from django-rules.
Apparently you're confusing the semantics of the add permission, probably interpreting it as "is this user allowed to save this Person instance?", while it's actually more like "is this user allowed to add a Person instance?".
See here: https://github.com/django/django/blob/master/django/contrib/admin/options.py#L433-L440
from django-rules.
Thank you for the detailed replies. Yep, I configured AUTHENTICATION_BACKENDS per that guide. It seems like I've misunderstood how this library works regarding the Admin page. Is it correct that there's no easy way to restrict admin permissions based on simple rules?
I was able to get a 90% solution by editing classes in admin.py to look like this: (Users who have model-level permission could access rows outside their section by entering a specific URL, but this at least hides things)
@admin.register(Person)
class PersonAdmin(ModelAdmin):
# Normal admin.py boilerplate goes here
def get_queryset(self, request):
"""Only show people in the user's section."""
qs = super(PersonAdmin, self).get_queryset(request)
if request.user.is_superuser:
return qs.all()
else:
return qs.filter(squadron=request.user.person.section)
def render_change_form(self, request, context, *args, **kwargs):
""" Only allow the user's section when adding/changing a person."""
if not request.user.is_superuser:
context['adminform'].form.fields['section'].queryset = Squadron.objects.filter(
number=request.user.person.squadron.number)
return super(PersonAdmin, self).render_change_form(request, context, args, kwargs)
from django-rules.
It seems like I've misunderstood how this library works regarding the Admin page. Is it correct that there's no easy way to restrict admin permissions based on simple rules?
No, this is not correct, you can restrict permissions based on rules -- that's what django-rules is all about. You have misunderstood how Django permissions work. Please take another look on this project's README and the relevant section in Django docs about authorisation.
Closing -- please reopen if there are rules-related questions I may answer.
from django-rules.
Hey, I am sorry to bring up this old issue, but I didn't want to open a new one just to ask a question. But I am kinda confused about this too. Is it possible to limit the list results in the admin list display just by using rules?
please let me know @dfunckt
from django-rules.
Related Issues (20)
- Equivalant of `rules.add_perm('model', rules.always_allow)` in model.Meta.rules_permissions HOT 1
- Many reader of an object HOT 3
- is this repository receiving updates? HOT 1
- Are the predicates defined on a model called automatically?
- 'permission_required' fails on anonymous view callbacks HOT 5
- Pass Payload into Predicate for POST HOT 2
- Django Rules with Non Auth User Model
- Support Django 4.0 HOT 5
- Alternative to `RulesModelBase` in DRF to manage dependency on this library. HOT 8
- Using `AND` (`&`) with a predicate that returns `None` incorrectly returns `True` HOT 5
- Remove Python 2 code
- Django: how does one know which permission failed on a particular request? HOT 1
- Django rules with abstract base class throw error after addition
- Predicate parameters HOT 2
- How do you map predicates to objects and/or users? HOT 1
- AttributeError: 'NoneType' when trying to access the admin panel view list HOT 2
- Passing the view's request or extra arguments to a predicate.
- Consider cutting a new release? HOT 7
- Error: displaying objects even the user hasn't the correct permissions. HOT 1
- How to correctly use asymetric mixed permissions?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from django-rules.