Re: [Django] #10609: Permissions on admin actions

Thu, 11 Oct 2012 00:07:45 -0700 

#10609: Permissions on admin actions
-------------------------------+------------------------------------
     Reporter:  leitjohn       |                    Owner:  leitjohn
         Type:  New feature    |                   Status:  assigned
    Component:  contrib.admin  |                  Version:  master
     Severity:  Normal         |               Resolution:
     Keywords:                 |             Triage Stage:  Accepted
    Has patch:  1              |      Needs documentation:  0
  Needs tests:  1              |  Patch needs improvement:  1
Easy pickings:  0              |                    UI/UX:  0
-------------------------------+------------------------------------

Comment (by Elvard):

 Thank you for reviewing this patch. I still need to get used to whole
 workflow.

 Decorators are indeed unnecessary with respect to implementation of
 '''render_action''' as mentioned above. I propose add another property to
 action, '''passes_test''':

 {{{#!python

 def delete_selected(modeladmin, request, queryset):
     ....
 delete_selected.short_description = "Delete selected objects"
 # Calling modeladmin methods, eg. has_delete_permission,
 has_add_permission, etc.
 delete_selected.passes_test = "has_delete_permission"

 ...

 # Checking specific permissions
 action.passes_test = permission_required("poll.can_vote")

 ...

 # Passing test function directly
 action.passes_test = test_func

 }}}

 where '''permission_required''' is just function which construct test_func
 with proper arguments (modeladmin, request, queryset).

 '''passes_test''' property is then evaluated and return filtered queryset.
 If queryset is non empty, user can trigger action.

 {{{#!python
 # Example of test_func which allows to delete only entries that are
 'owned' by user:

 def delete_owned_only(modeladmin, request, queryset):
     return queryset.filter(author=request.user)
 }}}

 String value in passes_test property could be handled like this:

 {{{#!python

 if hasattr(modeladmin, action.passes_test):
     test_func = getattr(modeladmin, action.passes_test)
     new_qs = []
     for obj in queryset:
         if test_func(request, obj):
             new_qs.append(obj)

 }}}

 What would you think about this implementation?

-- 
Ticket URL: <https://code.djangoproject.com/ticket/10609#comment:17>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to