django-sitetree icon indicating copy to clipboard operation
django-sitetree copied to clipboard

Published 20 hours ago verified publisher icon idlesign

Checking of object-permissions for TreeItem

Open go-run-jump opened this issue 5 years ago • 6 comments

I really like the functionality of this library and would like to use it in a projekt together with django-guardian for object-permissions. This enables me to give a specific user or group the permission to view a TreeItem.

At the moment the check for permissions in line 893 of sitetreeapp.py can't do that as it is not model-specific: user_perms = set(context['user'].get_all_permissions())

If I add the line below (new syntax for brevity) it works as I want it to. user_perms.add(f"{item._meta.app_label}.{context['user'].get_all_permissions(item)}")

Is there another way to achieve that properly?

Would you be willing to accept a pull-request with such an enhancement?

go-run-jump avatar Apr 26 '19 03:04 go-run-jump

Let's think it over.

user_perms.add(f"{item._meta.app_label}.{context['user'].get_all_permissions(item)}")

I wonder how that works, since get_all_permissions(item) returns a set and your resulting permission name should boil into something like myapp.{'two', 'one'}. Does that work with guardian, shouldn't there be two separate permissions, like myapp.two and myapp.one?

idlesign avatar Apr 26 '19 04:04 idlesign

You're absolutly right. It should be more like

obj_perms = context['user'].get_all_permissions(item)
labeled_obj_perms = {f"{item._meta.app_label}.{perm}" for perm in obj_perms}
user_perms.update(labeled_obj_perms)

go-run-jump avatar Apr 26 '19 05:04 go-run-jump

We could prepend app label as an option (through settings), but before that I'd like to make sure it solves the problem.

So I'd like to ask you to make a fork of this repo and add guardian into demo, so that I could see how your solution works. If it works fine, we could merge app code changes (excluding demo).

idlesign avatar Apr 27 '19 14:04 idlesign

I've checked the demo, thank you.

In #265 I introduce a new better support for customization. It should cover a wide variety of use cases including yours. Please give it a try, documentation is updated accordingly. Will wait for you feedback.

idlesign avatar May 01 '19 03:05 idlesign

get_permissions will only be called once in check_access because of if user_perms is _UNSET. This means checking per item will not work. I guess this is for unneccessary double checks if the permissions are model-based. Of course now it is possible to overwrite check_access, which is great, but at least this method doesn't do what it promises.

What are your thoughts about this?

go-run-jump avatar Aug 23 '19 06:08 go-run-jump

It seems that we need a caching dict in _current_user_permissions for per-item access checking, but that should be weighted against caching removal.

idlesign avatar Aug 23 '19 10:08 idlesign