Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Checking of object-permissions for TreeItem #263

Open
go-run-jump opened this issue Apr 26, 2019 · 6 comments
Open

Checking of object-permissions for TreeItem #263

go-run-jump opened this issue Apr 26, 2019 · 6 comments
Labels
3rd party support support

Comments

@go-run-jump
Copy link

I really like the functionality of this library and would like to use it in a projekt together with django-guardian for object-permissions. This enables me to give a specific user or group the permission to view a TreeItem.

At the moment the check for permissions in line 893 of sitetreeapp.py can't do that as it is not model-specific:
user_perms = set(context['user'].get_all_permissions())

If I add the line below (new syntax for brevity) it works as I want it to.
user_perms.add(f"{item._meta.app_label}.{context['user'].get_all_permissions(item)}")

Is there another way to achieve that properly?

Would you be willing to accept a pull-request with such an enhancement?
@idlesign
Copy link
Owner

Let's think it over.

user_perms.add(f"{item._meta.app_label}.{context['user'].get_all_permissions(item)}")

I wonder how that works, since get_all_permissions(item) returns a set and your resulting permission name should boil into something like myapp.{'two', 'one'}. Does that work with guardian, shouldn't there be two separate permissions, like myapp.two and myapp.one?

@go-run-jump
Copy link
Author

You're absolutly right. It should be more like

obj_perms = context['user'].get_all_permissions(item)
labeled_obj_perms = {f"{item._meta.app_label}.{perm}" for perm in obj_perms}
user_perms.update(labeled_obj_perms)

@idlesign
Copy link
Owner

idlesign commented Apr 27, 2019
edited
Loading

We could prepend app label as an option (through settings), but before that I'd like to make sure it solves the problem.

So I'd like to ask you to make a fork of this repo and add guardian into demo, so that I could see how your solution works. If it works fine, we could merge app code changes (excluding demo).

@idlesign
Copy link
Owner

idlesign commented May 1, 2019
edited
Loading

I've checked the demo, thank you.

In #265 I introduce a new better support for customization. It should cover a wide variety of use cases including yours. Please give it a try, documentation is updated accordingly.
Will wait for you feedback.

@idlesign idlesign mentioned this issue May 7, 2019
Merged
@go-run-jump
Copy link
Author

get_permissions will only be called once in check_access because of if user_perms is _UNSET. This means checking per item will not work. I guess this is for unneccessary double checks if the permissions are model-based. Of course now it is possible to overwrite check_access, which is great, but at least this method doesn't do what it promises.

What are your thoughts about this?

@idlesign
Copy link
Owner

It seems that we need a caching dict in _current_user_permissions for per-item access checking, but that should be weighted against caching removal.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3rd party support support
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@idlesign @go-run-jump