Django per-object permissions

https://stackoverflow.com/questions/7277853

18-01-2021
|

题

I have users that each are associated with a list of real estate properties they are allowed to access. Multiple users may have permission to view the same site.

How would I set this up in django?

I have the:

class UserProfile(models.Model):
    user = models.OneToOneField(User)
    last_session_time_online = models.IntegerField()
    total_time_online = models.IntegerField()
    def __unicode__(self):
        return self.user

and the

class Site(models.Model):
    site_name = models.CharField(max_length = 512)
    ...Other stuff...
    def __unicode__(self):
        return self.user

解决方案

This is basic many-to-many stuff:

 class Site(models.Model):
     site_name = models.CharField(max_length = 512)
     allowed_users = models.ManyToManyField(User)

 ...

 sam = User.objects.get(username = 'sam')
 frodo = User.objects.get(username = 'frodo')

 hobbithole = Site.objects.get(site_name = 'The Hobbit Hole')
 hobbithole.allowed_users.add(sam, frodo)

 frodo.site_set.all() # Should return "The Hobbit Hole" object, and any other place frodo's allowed to visit.

 somesite.allowed_users.exists(user = frodo) # returns True if frodo is in the site's set of allowed users.

If you don't want to clutter Site, you can also create an intermediate "through" table. That creates a layer of indirection, but allows you to add things to the through table like degrees of permission, if you want. You can use the auth module's groups feature on that table to define "groups that have access to the keys" and "groups that can modify the property" and so on.

Many To Many Fields in Django

其他提示

This came up recently, but I can't find the relevant question on SO. Instead here are some links that I had saved from that discussion to read later:

Handling object permissions - Django Docs
Django Object Permissions 1.2 - Oregon State University Open Source Lab
Django Object Permissions Proof of Concept - The Washington Times

Django now supports object permissions. Besides Handling Object Permissions, which has been linked to in another answer, the REST Framework guide to permissions is worth reading.

You will want to add code to the Meta subclass of your model for each permission:

class Meta:
    permissions = (
        ('edit_this_model', 'Edit this model'),
    )

If you are using south, you may need to run manage.py syncdb --all after updating the model.

To test if a user is authenticated, use a command such as this:

user.has_perm('your_app_name. edit_this_model')

Plenty of plugins here that do this.

Try Django-Guradian. You can use it to assign object level permissions to Users/Groups.

许可以下： CC-BY-SA 和归因

不隶属于 StackOverflow