Django admin — restricting access by user

StackOverflow https://stackoverflow.com/questions/1022635

  •  06-07-2019
  •  | 
  •  

Question

I was wondering if the django admin page can be used for external users.

Let's say that I have these models:

class Publisher(models.Model):
  admin_user = models.ForeignKey(Admin.User)
  ..

class Publication(models.Model):
  publisher = models.ForeignKey(Publisher)
  ..

I'm not exactly sure what admin_user would be -- perhaps it could be the email of an admin user?

Anyways. Is there a way allow an admin user to only add/edit/delete Publications whose publisher is associated with that admin user?

-Thanks! -Chris

Was it helpful?

Solution

If you need finer-grained permissions in your own applications, it should be noted that Django's administrative application supports this, via the following methods which can be overridden on subclasses of ModelAdmin. Note that all of these methods receive the current HttpRequest object as an argument, allowing for customization based on the specific authenticated user:

  • queryset(self, request): Should return a QuerySet for use in the admin's list of objects for a model. Objects not present in this QuerySet will not be shown.
  • has_add_permission(self, request): Should return True if adding an object is permitted, False otherwise.
  • has_change_permission(self, request, obj=None): Should return True if editing obj is permitted, False otherwise. If obj is None, should return True or False to indicate whether editing of objects of this type is permitted in general (e.g., if False will be interpreted as meaning that the current user is not permitted to edit any object of this type).
  • has_delete_permission(self, request, obj=None): Should return True if deleting obj is permitted, False otherwise. If obj is None, should return True or False to indicate whether deleting objects of this type is permitted in general (e.g., if False will be interpreted as meaning that the current user is not permitted to delete any object of this type).

[django.com]

OTHER TIPS

django admin can, to a certain extent, be restricted. For a given user, first, they must have admin rights in order to log into the admin site. Anyone with this flag set can view all admin pages. If you want to restrict viewing, you're out of luck, because that just isn't implemented. From there, each user has a host of permissions, for create, update and delete, for each model in the admin site. The most convenient way to handle this is to create groups, and then assign permissions to the groups.

I see chris's answer was useful at the time question was asked. But now it's almost 2016 and I guess it gets more easier to enable restricted access of Django Admin panel to end user.

Django authentication system provides:

Groups: A generic way of applying labels and permissions to more than one user.

Where one can add specific permissions and apply that group to user via admin panel or with writing codes.

After adding user to those specific groups, Admin need to enable is_staff flag for those users.

User will be able access restricted registered models in admin. I hope this helps.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top