I am trying to restrict the groups populated for staff users, such that a user X( staff ) is able to view and edit only those groups which X is a member.
I am able to filter groups populated on admin/auth/group/ by registering the new class.
class RestrictGroupAdmin(GroupAdmin):
def get_queryset(self, request):
if request.user.is_superuser:
return super(RestrictGroupAdmin, self).get_queryset(request)
return request.user.groups.all()
With this approach I am able to filter out groups on admin/auth/group/, but unable to filter out the list of available groups in user edit admin page .
Is there a way to filter the available groups in user edit page?
Also, is the above approach to restrict groups is correct ?
Can we extend the same approach to users and permissions as well ?
PS: Django version 1.11.1
Related
I'm trying to figure out what's the "best practice" to limit QuerySets based on Users permissions.
For example, there is a table of invoices on the dashboard. User that has Group called Admin can see all invoices but User that has group Broker can see only their own invoices. That means only invoices that have user = ....
My idea is to create two permissions can_see_all_invoices and can_see_own_invoices.
Now when I call the QuerySet using Django Rest Framework, I'll check for the permissions and return the filtered QuerySet.
Or should I filter the QuerySet on the frontend and if Broker asks for all invoices I would raise PermissionError?
Which of these approaches are being used or is there a different approach?
IMO, this would be a clean method
class MyInvoiceAPI:
def get_queryset(self):
qs = Invoice.objects.all()
if self.request.user.has_perm('can_see_all_invoices'):
return qs
return qs.filter(user=self.request.user)
Notes
You don't need two permissions, only one which is can_see_all_invoices
I wouldn't raise any permission denied errors in this case, since it a List API, and evaluation of object is an expensive process
I want to try setup a private website, where users can purchase bookings but only their own bookings can be viewed within the entire shop when logged in. Saleor seems to be the most complete ecommerce package for Python/Django.
Is there a way i can block access to using categories? As in, i can create a category 'Johnson Family' and only select certain users to have access to 'Johnson Family' categories, if i approve their email to have access. Then those users would then see 'products' or 'bookings' specifically for them within the shop.
Edit: Apologies, i should of ask 'how' and not 'if' of course it can be done in Django, but i wasn't sure 'how?'
As you have asked a generalized question, here is the generalized solution:
Is there a way i can block access to using categories?
Yes, you can. Django auth module has a concept of group where you can create a group and add users to this group. Then in your view you can check whether user belongs to the particular group or not. You can do something like:
from django.contrib.auth.models import User, Group
#create the group
group = Group(name='Johnson Family')
group.save()
# Add user to the group
user = User.objects.get(email='some#email.id')
user.groups.add(group)
# Call this method from your view to check if user belongs to a group
def is_member(user, group_name):
return user.groups.filter(name=group_name).exists()
Then those users would then see 'products' or 'bookings' specifically for them within the shop.
For this you can always filter the queryset to return the objects that belong to a specific user. e.g. (assuming Product and Booking model has a foreign key to user):
Product.objects.filter(user=some_user)
Booking.objects.filter(user=some_user)
Hi im really a noob at django.
Can i ask if there is anyway to filter list by user group?
When creating a user at admin, there is also choice for creating groups. After assigning these user to certain groups, i have another model e.g. Staff where Staff information is provided and is linked to the user. So very Staff must be a user and also must be member of the group staff. I have already created a drop down menu at Staff Page for the list of users when creating a new Staff.
The problem is that i cant seem to figure out how the list of users shown at staff page can be filtered according to the user group and also assignment since it should be OnetoOne relation w/ the user. So users who been used or is already linked to a certain staff will not show in that list again when creating a new Staff.
Im thinking of using Staff.model.count()? to do that and == the user to Staff User Group. but where should i out in order to customize it? please help
You should write your own ModelAdmin, then unregister User and register User with UserAdmin with your custom behaviour. This way you can overwrite the queryset, forms etc.. Look at the ModelAdmin source code
class UserAdmin(admin.ModelAdmin):
# do stuff
admin.site.unregister(User)
admin.site.register(User, UserAdmin)
I'm searching for a way to customize the Django Administration to support permissions based on the user group.
For example, I've just created the Developers group, now I've also created the Tickets model, with AdminModel to specify how to list data.
I'd like to have this model visible only by Developers, and hidden to each other not in this group (eg filter the view based on groups).
I've read a lot of documentations, but couldn't really find and understand what to do to have it working.
For security purposes I'd also need to check user groups at runtime when adding-deleting objects for a specific model (the one I've hidden to people outside the Developers group), otherwise it would only need to know the URL to use the model :s
It looks like a simple task, but maybe I'm missing something... any 3rd party middleware, or just a way to do it? I'm also ready to edit the administration views if needed, but I need to know what do to.
Thank you :-)
ModelAdmin has three methods dealing with user permission: has_add_permission, has_change_permission and has_delete_permission. All three should return boolean (True/False).
So you could do something like:
class TicketAdmin(admin.ModelAdmin):
...
def has_add_permission(self, request):
return request.user.groups.filter(name='Developers').exists()
def has_change_permission(self, request, obj=None):
return request.user.groups.filter(name='Developers').exists()
def has_delete_permission(self, request, obj=None):
return request.user.groups.filter(name='Developers').exists()
When False is returned from one of these, it's results in a 403 Forbidden.
I had tried hours to find a way to edit custom admin's(based on my custom model) permission by some click on screen,without many coding.
Use Django's /admin/auth/user/ "User permissions:part"
Finally I find this:
Just to install django-admin-view-permission
and I can change the staff's custom models' permission here
Also in the group part /admin/auth/group/add/ I can create a group has certain permission, and assign specific staff to their permission group.
i have a django project that has 2 types of users ( teachers and students in my case )
i want each group of them to view a different page when they login.
how is that possible ?
or how to know what group a certain user belong to ?
thanks in advance
To get the groups of a user check the docs on authentication.
User objects have two many-to-many
fields: models.User. groups and
user_permissions. User objects can
access their related objects in the
same way as any other Django model:
myuser.groups = [group_list]
So if you want to check if a user is member of the group teachers:
if myuser.groups.filter(name='teachers'):
print "myuser is a teacher"
...
Considering the redirection see this answer: Django - after login, redirect user to his custom page --> mysite.com/username