django-guardian
is implementation of per object permissions [1] as
authorization backend which is supported since Django 1.2. It won't
work with older Django releases.
Online documentation is available at
http://packages.python.org/django-guardian/ or http://django-guardian.rtfd.org/
To install django-guardian
simply run:
pip install django-guardian
We need to hook django-guardian
into our project.
Put
guardian
into yourINSTALLED_APPS
at settings module:INSTALLED_APPS = ( ... 'guardian', )
Add extra authorization backend:
AUTHENTICATION_BACKENDS = ( 'django.contrib.auth.backends.ModelBackend', # default 'guardian.backends.ObjectPermissionBackend', )
After installation and project hooks we can finally use object permissions with Django.
Lets start really quickly:
>>> jack = User.objects.create_user('jack', '[email protected]', 'topsecretagentjack') >>> admins = Group.objects.create(name='admins') >>> jack.has_perm('change_group', admins) False >>> UserObjectPermission.objects.assign_perm('change_group', user=jack, obj=admins) <UserObjectPermission: admins | jack | change_group> >>> jack.has_perm('change_group', admins) True
Of course our agent jack here would not be able to change_group globally:
>>> jack.has_perm('change_group') False
There two ways to include django-guradian object level admin support for your models. One is relatively straightforward
and consists of replacing admin.ModelAdmin
with GuardedModelAdmin
for those models which should have object
permissions support within admin panel:
from django.contrib import admin
from myapp.models import Author
from guardian.admin import GuardedModelAdmin
# Old way:
#class AuthorAdmin(admin.ModelAdmin):
# pass
# With object permissions support
class AuthorAdmin(GuardedModelAdmin):
pass
admin.site.register(Author, AuthorAdmin)
The other consists of sanely monkeypatching. This has the great benefit that existing Django models, third party apps, your models and future models - the entire Django site automatically gets object level permission support in the Admin:
import logging
logger = logging.getLogger(__name__)
# be nice and tell you are patching
logger.info("Patching 'admin.ModelAdmin = GuardedModelAdmin': replace 'admin.ModelAdmin' with 'GuardedModelAdmin' "
"which provides an ability to edit object level permissions.")
# confirm signature of code we are patching and warn if it has changed
if not '3c43401f585ae4a368c901e96f233981' == \
hashlib.md5(inspect.getsource(admin.ModelAdmin)).hexdigest():
logger.warn("md5 signature of 'admin.ModelAdmin' does not match Django 1.5. There is a slight change patch "
"might be broken so please compare and update this monkeypatch.")
admin.ModelAdmin = GuardedModelAdmin # apply the patch
[1] | Great paper about this feature is available at djangoadvent articles. |