search

hagsteel / swampdragon

swampdragon
Other
557 stars 74 forks source link

Restrict user access to published data #170

Closed AlexejStukov closed 8 years ago

AlexejStukov commented 8 years ago

I have several objects of the Model Foo(SelfPublishModel, models.Model) and a FooRouter(ModelRouter). The website is already running on an internal server and pushes the changed states of the Foo-objects to the users, but until now every logged-in user can see (e.g. via the DevTools in Chrome) the changes on every Foo-object. I want to change that, so only a subgroup of users, who have permission to do so, can view the updates on one Foo-object. For the static part this is already achieved via django-guardian. The documentation mentions using get_subsction_context(self, **kwargs) for this kind of problem, but it is kind of confusing. So how can I limit the user-access to each Foo-Object individually (preferably using the same permission rules from django-guardian). Should i use swampdragon-auth for this and how can I handle more than one user with it? My source-code looks like this:

# [models.py]
# ...
from swampdragon.models import SelfPublishModel
from .serializers import FooSerializer

class Foo(SelfPublishModel, models.Model):
    class Meta:     # for django-guardian 
        permissions = (
            ('view_permission', 'View permission'),
        )
    number = models.CharField(primary_key=True, max_length=6, blank=False)
    # ...
    name = models.CharField(max_length=100, default="some foo", blank=False)
# [router.py]
from swampdragon import route_handler
from swampdragon.route_handler import ModelPubRouter
from swampdragon.route_handler import ModelRouter, BaseRouter
from .serializers import FooSerializer

class FooRouter(ModelRouter):

    serializer_class = FooSerializer
    model = Foo
    route_name = "foo-route"

    def get_object(self, **kwargs):
        return self.model.objects.get(pk=kwargs["pk"])

    def get_query_set(self, **kwargs):
        return self.model.objects.all()

route_handler.register(FooRouter)
# [serializers.py]
from swampdragon.serializers.model_serializer import ModelSerializer
# ...
class FooSerializer(ModelSerializer):
    class Meta:
        model = "app.Foo"
        publish_fields = ("number", "name") # and others
# ...

Thanks in advance. Edit: Im using django 1.8, django-guardian 1.3.1 and swampdragon 0.4.2.1

AlexejStukov commented 8 years ago

Nevermind. I figured it out. Wasn't that difficult after all. Now all i have is the "deleted"-Bug for updates in not subscibed channels, which should be fixed in 4.3.