Hello, *The problem** *
It has happened to me more than once to need to check the user's permissions before allowing access to an object. Rather than worry whether I've remembered to do that in all my views and in all pieces of code there might be access, I'd prefer to make this check at the model level, that is, for the model manager to return filtered results—only these objects that the user is allowed to access. But model managers don't have access to the request object (and, likewise, I don't want to create a manager that needs the request object to be passed to it, because likewise I won't be certain I remembered to pass the request object in all places in the code). *One solution* One solution that I've implemented in an app is to have middleware that stores the request in a thread local variable. The model manager gets the request from there and filters the results accordingly. If there is no request object stored in the thread local variable, the manager assumes this query does not come from the web and does not filter it. Is this a good way to do it? Is there any alternative? Regards, A. -- Antonis Christofides http://djangodeployment.com -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at https://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/09999125-74c5-7c82-0bbb-22e5e433790f%40djangodeployment.com. For more options, visit https://groups.google.com/d/optout.
