On Jan 12, 2010, at 8:04 AM, Gonzalo Delgado wrote: > > I'm facing similar requirements and came across this app: > > http://packages.python.org/django-authority/ > > but haven't tried it out yet. >
Well, I just read most of the docs, and it looks like this won't work for our requirements. It might do what Tim wants, depending on how much he wants to modify his code. My problem with this project is that the developers have to add a bunch of authority-checking to every piece of code that touches the models. I want something more like "logical delete," which allows vanilla Django syntax and does its thing in the background. For example, if I do a queryset lookup, I don't want to filter out the results based on permissions -- I want just the allowed results returned. To give a small analogy: I've replaced the @login_required decorator in our application with a piece of middleware, which explicitly allows the "unprotected" stuff (like the login page). This protects us from a developer accidentally failing to add the @login_required decorator. The same should go for our models; no client should *ever* be able to see another client's data because a developer failed to add a permissions check. Shawn--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django-us...@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.