[Fixed]-Django Per Object Permission for Your Own User Model


Object-level permissions are not built into Django, even when using the standard auth.User model. But the foundation is there in that Django’s PermissionsMixin defines the has_perm method, which accepts a model instance. Django does nothing with it by default, but you can.

The has_perm method effectively passes the hard work off onto the registered authentication backends. So you can create a custom authentication backend specifically for performing your object-level permission checks. It does not need to actually handle authentication. It can be as simple as a single method on a basic class. Something like the following (untested) is all you should need:

class ObjectPermissionsBackend(object):

    def has_perm(self, user_obj, perm, obj=None):
        if not obj:
            return False # not dealing with non-object permissions

        if perm == 'view':
            return True # anyone can view
        elif obj.author_id == user_obj.pk:
            return True
            return False

Tell Django to use your custom backend using the AUTHENTICATION_BACKENDS setting. In settings.py:

AUTHENTICATION_BACKENDS = ('django.contrib.auth.backends.ModelBackend', 'path.to.ObjectPermissionsBackend')

Then, in your code:

if user.has_perm('edit', article_instance):
    # allow editing

See https://docs.djangoproject.com/en/1.8/topics/auth/customizing/#custom-users-and-permissions and https://docs.djangoproject.com/en/1.8/topics/auth/customizing/#specifying-authentication-backends



I end up using logic based per-object permission so that it does not alter my database. It is django-rules which support my class based view. Remember to override the redirect_field_name, otherwise, you will end up with redirect loop if users are logged in.


In the documentation page you posted, there is also stated:

Basically, if we subclass AbstractUser or define many-to-many relation
with auth.Group (and give reverse relate name groups) we should be

Since this is what you’re doing, you should set AUTH_USER_MODEL as written in the Django documentention (also see the ticket and the commit code for Django 1.5 compatibility).


You need to clear some basics on how permission works. Here it goes in a newbie understandable way:
First step is to use Meta in a model and add permission for that model in model definition”itself. Now when you migrate in django, django comes to know ‘hey! There is a custom permission which now onwards I have to consider. Well, let me add this to custom permissions’
Now comes second step, you define user and give him exact same permission you have defined in the model of step one. (if you can make sense upto this point, djago-gurdia doc will seem bright and clear to you) Any ways, so when a user logins and in your code when you use a model, you can check(ok, virtually ask django that hey django! Do you remember I have defined a permission on this model. And given the same permission to a user. Can you please check and tell me whether the user logged in has actually that permission or not’)

Leave a comment