#10609: Permissions on admin actions -------------------------------+------------------------------------ Reporter: leitjohn | Owner: leitjohn Type: New feature | Status: assigned Component: contrib.admin | Version: master Severity: Normal | Resolution: Keywords: | Triage Stage: Accepted Has patch: 1 | Needs documentation: 0 Needs tests: 1 | Patch needs improvement: 1 Easy pickings: 0 | UI/UX: 0 -------------------------------+------------------------------------
Comment (by Elvard): Thank you for reviewing this patch. I still need to get used to whole workflow. Decorators are indeed unnecessary with respect to implementation of '''render_action''' as mentioned above. I propose add another property to action, '''passes_test''': {{{#!python def delete_selected(modeladmin, request, queryset): .... delete_selected.short_description = "Delete selected objects" # Calling modeladmin methods, eg. has_delete_permission, has_add_permission, etc. delete_selected.passes_test = "has_delete_permission" ... # Checking specific permissions action.passes_test = permission_required("poll.can_vote") ... # Passing test function directly action.passes_test = test_func }}} where '''permission_required''' is just function which construct test_func with proper arguments (modeladmin, request, queryset). '''passes_test''' property is then evaluated and return filtered queryset. If queryset is non empty, user can trigger action. {{{#!python # Example of test_func which allows to delete only entries that are 'owned' by user: def delete_owned_only(modeladmin, request, queryset): return queryset.filter(author=request.user) }}} String value in passes_test property could be handled like this: {{{#!python if hasattr(modeladmin, action.passes_test): test_func = getattr(modeladmin, action.passes_test) new_qs = [] for obj in queryset: if test_func(request, obj): new_qs.append(obj) }}} What would you think about this implementation? -- Ticket URL: <https://code.djangoproject.com/ticket/10609#comment:17> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To post to this group, send email to django-updates@googlegroups.com. To unsubscribe from this group, send email to django-updates+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.