Object-level permissions are not built into Django, even when using the standard
auth.User model. But the foundation is there in that Django’s
PermissionsMixin defines the
has_perm method, which accepts a model instance. Django does nothing with it by default, but you can.
has_perm method effectively passes the hard work off onto the registered authentication backends. So you can create a custom authentication backend specifically for performing your object-level permission checks. It does not need to actually handle authentication. It can be as simple as a single method on a basic class. Something like the following (untested) is all you should need:
def has_perm(self, user_obj, perm, obj=None):
if not obj:
return False # not dealing with non-object permissions
if perm == 'view':
return True # anyone can view
elif obj.author_id == user_obj.pk:
Tell Django to use your custom backend using the
AUTHENTICATION_BACKENDS setting. In settings.py:
AUTHENTICATION_BACKENDS = ('django.contrib.auth.backends.ModelBackend', 'path.to.ObjectPermissionsBackend')
Then, in your code:
if user.has_perm('edit', article_instance):
# allow editing
I end up using logic based per-object permission so that it does not alter my database. It is django-rules which support my class based view. Remember to override the redirect_field_name, otherwise, you will end up with redirect loop if users are logged in.
- How do you rollback during Django shell session after causing DatabaseError?
- Django admin: use checkboxes in list view in list_filter()
In the documentation page you posted, there is also stated:
Basically, if we subclass AbstractUser or define many-to-many relation
with auth.Group (and give reverse relate name groups) we should be
- What is the proper way of testing throttling in DRF?
- How do you raise a python exception and include additional data for Sentry?
- Django.db.utils.IntegrityError: duplicate key value violates unique constraint "auth_permission_pkey"
You need to clear some basics on how permission works. Here it goes in a newbie understandable way:
First step is to use Meta in a model and add permission for that model in model definition”itself. Now when you migrate in django, django comes to know ‘hey! There is a custom permission which now onwards I have to consider. Well, let me add this to custom permissions’
Now comes second step, you define user and give him exact same permission you have defined in the model of step one. (if you can make sense upto this point, djago-gurdia doc will seem bright and clear to you) Any ways, so when a user logins and in your code when you use a model, you can check(ok, virtually ask django that hey django! Do you remember I have defined a permission on this model. And given the same permission to a user. Can you please check and tell me whether the user logged in has actually that permission or not’)
- How to run tests django rest framework tests?
- How to make a rest_framework Serializer disallow superfluous fields?
- Django translations does not work