Workgroups and permissions

[lucalenardi]

Hi.

I'm experiencing a strange problem that seems to be connected with the workgroups permissions management.

As far as I know, there is a setting that set the workgroup to enabled/disabled. Anyway, even if I have set it to False the admin section is removed as expected, but all the contents are still visible only to admins or to users belonging to the workgroup.

I've checked the admin files and I've seen that the queryset method has been overridden to filter the queryset on a per-workgroup basis. Probably it doesn't check against the setting and still works even with workgroups disabled.

Am I missing something?

[Fantomas42]

Hi Luca, first of all, the contents are always displayed for the superusers. And it's true that workgroups are always enabled for non-superusers... bug.

The fact is I does not wanted to add working group support directly in the newsletter application and use an external application. But for some customer considerations and a lack of this kind of application in Django, I have added a really basic support for workgroups, and it's not really tested excepted by me and few coworkers.

I hate this part of the application, because of some magic and ugly code and the not really clear behavior of the application, but excepting that and your bug, it's working well.

Your suggestions are welcome.

[lucalenardi]

Hi!

Perhaps, the bug could be fixed by adding a decorator that checks against the settings to find if the workgroups are enabled or not.

Anyway, a more elegant, yet complex solution, could be using the support for object-level permissions as introduced by the latest Django release (1.2). It requires to write a backend and rewrite a bit of code, but the admin integration should be fairly simple.

Which solution do you like most? I can try to put something together in the next couple of weeks.

Let me know, bye.

[Fantomas42]

Hi !

The most interessting solution is to write the backend for object-level permissions, in conclusion with a discussion with Shao197.

But another solution is to write a frontend for the application... Because the admin need to rest the admin, not to be the application.

I'm actually in brainstorming about this.

[lucalenardi]

Ok. Why don't you go further with the discussion here, or in another ticket? I would be glad to participate.

Thanks!

[jfache]

Hi Luca,

Glad to see that you're interested in this project. I've been thinking a lot about how to implement object level permissions and Django Advent idea (http://djangoadvent.com/1.2/object-permissions/) is definitively the way to go, as it stays outside the newsletter app.

Implementing object-level-permissions would be the first and main step. A frontend is optionnal for now. I wrote some really basic code to test Django Advent concept and it worked ok. I can share it with you if you want.

Keep me posted!

[Fantomas42]

Hi, even if no solution are already provided to remove the workgroups of the application, this commit should fix the latest issues experienced with the workgroups.

Fantomas42/emencia-django-newsletter@18a81af81f5d78c9e1da20c13ad5c0081792a9b8

Maybe this project could help for future: https://github.com/praekelt/django-sharing

Regards