Need opinion for an object permission rule backend

Thu, 30 Sep 2010 06:50:40 -0700 

 Hi everyone,

I have been recently thinking about an object permission system. After
reviewing Florian Apolloner (apollo13) patch for ticket
#11010<http://code.djangoproject.com/ticket/11010> and
reading his article at Django
Advent<http://djangoadvent.com/1.2/object-permissions/>.
I though about creating an Object Permission Rule Backend. The purpose of
this message is explain you my idea, so I can receive feedback from Django
users and developers. This way I would like to discern if it's worth coding
it or if it's a good approach to a reusable solution.

I will reuse apollo's code to elaborate my idea. My Backend would look
similar to:

class ObjectPermBackend(object):
    supports_object_permissions = True
    supports_anonymous_user = True

    def authenticate(self, username, password):
        return None

    def has_perm(self, user_obj, perm, obj=None):
        if not user_obj.is_authenticated():
            user_obj = User.objects.get(pk=settings.ANONYMOUS_USER_ID)

        if obj is None:
            return False

        ct = ContentType.objects.get_for_model(obj)

        try:
            perm = perm.split('.')[-1].split('_')[0]
        except IndexError:
            return False

# Simplified rule system
        # Of course objects should extend an interface
if (perm == "ownage")
return obj.is_owned_by(user_obj)

elif (perm == "edit")
return obj.can_be_edited_by(user_obj)

# Here be Dragons

As I love decorators, I would like to create a permission_required decorator
that accepted more than a parameter, so:

@permission_required('app.code_name') would
become @permission_required('app.code_name', FLAG)

If the FLAG is set the decorator searches in the model associated to the
content type of the permission, for the name of the field for the PK. For
the example imagine idArticle. Now it instantiates an object of that model
with Model.objects.get(pk=request.idArticle). So it would be necessary to
match request parameters to model fileds (This is the best idea I've come up
with). Once it has the right object, it passes it to the backend for
permission checks.

I know I could do a decorator like @own_article but I'm looking for a more
reusable solution, that I would make open source and release at Github.

What do you think? Is it feasible and well laid out?

Thanks, best regards
Miguel Araujo

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-us...@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Reply via email to