Re: Is it wrong to disable a lot of the core django features?

Hi all,

I agree that it's perfectly fine to not use the built in auth and admin apps, and people do it all the time. But, I wanted to give a quick proof of concept of using the admin with custom permissions.

# models.py
from django.contrib.auth.models import AbstractBaseUser
from django.db import models

class Company(models.Model):
    name = models.CharField(max_length=255)

class Authority(models.Model):  # Permission
    company = models.ForeignKey(Company)
    name = models.CharField(max_length=255)

class Role(models.Model):  # Group
    name = models.CharField(max_length=255)
    authorities = models.ManyToManyField(Authority, blank=True)

class EmailUserManager(models.Manager):
    def get_by_natural_key(self, email):
        return self.get(email=email)

class CustomUser(AbstractBaseUser):
    company = models.ForeignKey(Company)
    email = models.EmailField('Email', unique=True)
    roles = models.ManyToManyField(Role, related_name='users', blank=True)
    USERNAME_FIELD = 'email'
    REQUIRED_FIELDS = ['company']
    is_staff = True  # all users can login to the admin
    objects = EmailUserManager()

    def get_short_name(self):
        return self.email

    @property
    def authorities(self):
        return Authority.objects.filter(role__users=self)

# admin.py

from django.contrib.auth.models import Group

from django.contrib import admin

from .models import Company, Role, Authority, CustomUser

admin.site.unregister(Group)

class PermAdmin(admin.ModelAdmin):

    def has_add_permission(self, request):
        permission_name = 'can_add_%s' % self.model._meta.model_name
        return request.user.authorities.filter(name=permission_name).exists()

    def has_change_permission(self, request, obj=None):
        permission_name = 'can_change_%s' % self.model._meta.model_name
        return request.user.authorities.filter(name=permission_name).exists()

    def has_delete_permission(self, request, obj=None):
        permission_name = 'can_delete_%s' % self.model._meta.model_name
        return request.user.authorities.filter(name=permission_name).exists()

    def has_module_permission(self, request):
        add = 'can_add_%s' % self.model._meta.model_name
        change = 'can_change_%s' % self.model._meta.model_name
        delete = 'can_delete_%s' % self.model._meta.model_name
        return request.user.authorities.filter(name__in=(add, change, delete)).exists()

admin.site.register(Role, PermAdmin)
admin.site.register(Company, PermAdmin)
admin.site.register(Authority, PermAdmin)
admin.site.register(CustomUser, PermAdmin)

Or it may be better to do the permission checking in user.has_perm() which the default has_change_permission() will call.

Collin

On Saturday, November 22, 2014 3:11:13 PM UTC-5, John Rodkey wrote:

Gabriel,

How would you store groups for each company within the default "groups" database?  Our current database design is

Company

CustomUser belongs to Company

Roles belongs to Company (replacing default "Groups" with "Roles")

Roles has many Authorities (replacing default "Permissions" with "Authorities")

*additional tables will be configured for assigning Roles to CustomUsers most likely through a many to many - join

Using our very limited design above, what would you recommend approach be for using the providing "Grouping/Perms"?

On Saturday, November 22, 2014 3:58:17 AM UTC-6, Gabriel - Iulian Dumbrava wrote:

Hello!

I would suggest to not drop the use of the built in auth module. You have many template and view tags, decorators, etc which are very helpful.

You may, for example create a group for each company/branch then add each user to their respective groups upon registration.

Each groups may have custom permissions, so you are not stuck with the built in add/edit/delete rights. You may create any type of permission and check for it in verious places.

vineri, 21 noiembrie 2014, 22:18:27 UTC+2, John Rodkey a scris:

We are evaluating django for a new internal CRM project and have issues using many of the built in features including: the base user, permissions, and authentication.

We do not wish to use the built-in admin...  The level of complexity for our permissions will be based on the employees job function/role.  While django does offer "Groups" under permissions, we have many subsidiaries which may name their own groups, this is our reasoning for dumping the built-in permissions.

What we are trying to accomplish -

1. User registration and authorization based on users email address. (We believe this could be created with the "Custom User" information found in the docs.)

2. Depending on the users email domain (the subsidiary) they work for, they will only have access to that data (We do not believe django offers this, and will be building it)

3. Each company (subsidiary) will have their own permission roles/groups (We do not believe this is available in django, please correct if wrong).

4. Each user will be assigned role(s)/permission(s) for their company (We believe this will need to be a custom tool)

Is there a simple solution to altering the built-in authentication and permission to fit our needs?  

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/7d4173c4-b283-4975-b261-27e5c30cfb39%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.