In case you hide/not display the save/delete button you must also double check in the delete view if the current user has the right permissions to delete the item. It's pretty easy to add a post button in firebug, or even trigger the post using a different method.
duminică, 29 martie 2015, 11:08:06 UTC+3, Mike Dewhirst a scris:
-- duminică, 29 martie 2015, 11:08:06 UTC+3, Mike Dewhirst a scris:
At the moment "has_change_permission" in the Admin works by returning
403 Forbidden if it gets a False.
That doesn't suit my needs but it is probably not advisable to adjust it.
Users without change permission need to be able to see the data and
perhaps raise an exception (in this case BusinessRuleViolation
subclassed from ValidationError) if they try to save. In other words,
maybe use the existing form clean() mechanism.
However, I recognise that this subverts the Admin by preventing [Save]
and therefore may not be appropriate.
A perhaps better solution would be to disable the Save and Delete
widgets/actions in particular circumstances.
How can I do something like this?
TL;DR
All the business rule decision logic is calculated using the object
instance and request.user.
The application displays a substance record with a few 1:1, 1:n, n:1 and
n:m related records. The substance has a status field which can be made
"public domain".
The business rule is that a user can see and edit all their own
substances but can see nothing owned by anyone else - unless they have
been put in the public domain (and which then must be readonly to the
"public")
Thanks for any ideas
Mike
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/5245622d-04a2-435d-9efb-cd61f824953b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
No comments:
Post a Comment