I am coming up with a framework that helps serialization of models. My
idea is for each field to have a view permissions level: PUBLIC,
OWNER, or ADMIN. I want to have a model to dict function that takes 2
arguments, permission_level and serialize_chain. Firstly, let me
explain how it would change models.py:
from django.db import models
from django.contrib.auth.models import User
class Profile(models.Model):
user = models.ForeignKey(User, permission=PUBLIC)
bio = models.TextField(permission=PUBLIC)
activated = models.BooleanField(default=False, permission=OWNER)
activate_code = models.CharField(max_length=256, permission=ADMIN)
pages_bookmarked = models.ManyToManyField('Page',
related_name='profile_pages_bookmarked', permission=OWNER)
So, in this example, let's think about when we serialize Profile into
a dictionary (for later turning into JSON for ajax). user is the only
special case, so skip that mentally for now. Anyone is able to view a
profile's bio. A person can view their own profile's activation status
and what pages they have bookmarked. But only the system can read the
activate_code. Of course the default value for permission would be
ADMIN, so you'd have to explicitly allow fields to be sent to the
browser.
OK, and how would the serialization work? Let's look at a view
function.
from django.shortcuts import get_object_or_404
from django.http import HttpResponse
import simplejson as json
def ajax_profile_info(request, id):
id = int(id)
profile = get_object_or_404(Profile, id=id)
# ok now we want to serialize profile for sending to json.
# let's say this is the ajax view for getting data about OTHER
people.
return json_response(profile.serialize(PUBLIC))
def json_response(data):
return HttpResponse(json.dumps(data), mimetype="text/plain")
So in this view, only fields with the PUBLIC will get rendered into
the dict. Let's say it was a view function for looking at a person's
own account settings. Then we would pass OWNER to the serialize
function and we would get all PUBLIC fields + OWNER fields.
OK that's dandy, but I have one other idea to make serialization
awesome. When you have models that foreignkey all over the place, it's
a pain to create a nice json object that follows the chain to the
exact depth that you want. So let me complicate the model a little
bit.
from django.db import models
from django.contrib.auth.models import User
class Profile(models.Model):
user = models.ForeignKey(User, permission=PUBLIC)
bio = models.TextField(permission=PUBLIC)
activated = models.BooleanField(default=False, permission=OWNER)
activate_code = models.CharField(max_length=256, permission=ADMIN)
books_read = models.ManyToManyField('Book',
related_name='profile_pages_bookmarked', permission=PUBLIC)
class Book(models.Model):
title = models.CharField(max_length=100, permission=PUBLIC)
protagonist = models.ForeignKey('Character', permission=PUBLIC)
language_used = models.ForeignKey('Language', permission=PUBLIC)
cover_art_plan = models.ForeignKey('CoverArtPlan',
permission=PUBLIC)
internal_admin_thing = models.IntegerField(permission=ADMIN)
class Character(models.Model):
name = models.CharField(max_length=100, permission=PUBLIC)
class Language(models.Model):
name = models.CharField(max_length=100, permission=PUBLIC)
class CoverArtPlan(models.Model):
name = models.CharField(max_length=100, permission=PUBLIC)
OK so let's say I'm making a page where we see all the books a person
has read (and the info about those books). Here's a view function:
def ajax_books_read(request, profile_id):
id = int(id)
profile = get_object_or_404(Profile, id=id)
return json_response(profile.serialize(PUBLIC),
['books_read.protagonist', 'books_read.language_used'])
So this second argument, the serialize_chain, says that we want to
serialize profile into a dict, and the books_read field, instead of
containing a list of ids, should contain a list of serialized Books.
And since we have a dot there, when Profile passes it's serialization
request on to Book, it cuts off the "books_read." and passes the rest
to Book, so that book sees ['protagonist', 'language_used']. so when
Book serializes, its 'protagonist' field is the serialization of the
Character instead of just an id. Same for 'language_used'. However,
since cover_art_plan was not included, it is simply the id of the
CoverArtPlan instead of following the link. Also of note, since we
serialized with PUBLIC, internal_admin_thing is completely left out of
Book's serialized data.
A note about access levels: let's say Profile was serialized with
OWNER access, when it serializes its books_read, it doesn't pass
OWNER, it de-escalates the access level to PUBLIC. However if you
serialize Profile with ADMIN access, it does pass admin when it
serializes its links. Think about it; it makes sense.
Anyways, I would like to know if
1) Does a solution like this already exist? and if not
2) Is this cool enough to go into django core? or contrib or whatever.
I got some feedback from mattmcc in #django:
<mattmcc> superjoe: At first glance, I'd be more inclined to look at a
role-based access control mechanism that doesn't obligate hardcoding
permission levels on to model fields..
However I don'
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-us...@googlegroups.com.
To unsubscribe from this group, send email to
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en.
