Per-actions Permissions.

[carltongibson]

Scenario:

• Public access to List and Detail views.
• Restricted access to edit views.

Needs a hook into ModelView.get_urls() since parsing the end-list to wrap the view callbacks isn't fun. But the most vanilla approach is to wrap the view, rather than add a DRF-style check_permissions() hook on the view class itself.

[carltongibson]

Decorators take various kwargs.

        staff_member_required(..., login_url="/", redirect_field_name=None),

🔨: Using partial when defining a map?

[tissieres]

Hello Carlton, This is a functionality that I need for my current project. I was planning to implement something that relies on the built-in model permissions. Do you prefer something more generic using decorators? Maybe I could propose a PR, but I will need your guidance on how to do that first :wink:

[carltongibson]

Hi @tissieres.

I'm still working on the details of the desired API here.

Normally I'd be very grateful for input but I do want to handle this one myself.

A first pass would be to implement a check_permissions and call that at the appropriate place in the view.

We're still at the early stage here so there's no wrong answers yet.

I know that's not very specific but I hope it helps.

[tissieres]

No problem. I will test some approaches on my side and if I find something really elegant, I'll come back to you. Thanks for neapolitan, fun project!

[carltongibson]

Thanks! Let me know what you come up with!

[tissieres]

That was simple finally:

    @classonlymethod
    def get_urls(cls):
        verbose_name = cls.model._meta.model_name
        app_label = cls.model._meta.app_label
        urlpatterns = [
            path(
                f"{verbose_name}/",
                permission_required(f"{app_label}.view_{verbose_name}")(
                    cls.as_view(role=Role.LIST)
                ),
                name=f"{verbose_name}-list",
            ),
            path(
                f"{verbose_name}/new/",
                permission_required(f"{app_label}.add_{verbose_name}")(
                    cls.as_view(role=Role.CREATE)
                ),
                name=f"{verbose_name}-create",
            ),
...

I also added a check of the permissions in the object_list template tag to restrict the actions and in the object_list.html template to remove the "add button" depending on them.

[carltongibson]

Yes, wrapping the view callbacks in get_urls() is a very good way to go!