Introduce custom permissions

[bhaettasch]

The existing permissions (add and delete entries for the different models) are sometimes not sufficient to really restrict manipulations to exaclty what a specific staff account needs.

Example: Tutor has to add students, but should better not be able to see all the registered people in dashboard or export their email adresses. So instead a write-only permission is needed.

For these cases, it would be good to have custom permissions that allow giving access to certain data according to the task one has to do and not based on the data he has to deal with.

[exploide]

Or the other way around, because add is already close to write-only. But all the dashboard views are more like list or view permissions, we might introduce.

[bhaettasch]

Yes, this was just an example. Instead of giving a new permission to tutor which is not very different to the existing "add" permission, it would be probably a better solution to introduce a new custom permission that also allows to see the entries via dashboard.

[jlauinger]

From the Django documentation:
https://docs.djangoproject.com/en/1.9/topics/auth/customizing/#custom-permissions

from django.db import models
from django.core.exceptions import PermissionDenied

# associated with my_app

class SomeModel(models.Model):
    class Meta:
        permissions = (
            ('custom_permission', 'Can do custom permission'),
        )

def some_admin_action(modeladmin, request, queryset):
    if not request.user.has_perm('my_app.custom_permission'):
        raise PermissionDenied

Another possibility would be using Django Guardian:
https://pythonhosted.org/django-guardian/userguide/check.html