View restrictions for access stats

[Baschdl]

How do we restrict access to the access statistics according to can_view_access_stats when it's in a separate app which is at first independent of the matching app?

[bjrne]

Add the corresponding permission in the stats app migrations and check for that one. In the admin interface, permissions are grouped by their content type, which includes its app.

[Baschdl]

Problem is that it would make sense to have the stats_view restriction in the stats app and check this restriction on our profile page but our app could possible be used without the stats app. Maybe @kevihiiin knows the best practice for this

[bjrne]

An academic (:wink:) way would be to have two permissions:

1. matching.view_access_stats
2. stats.view_x, stats.view_y (django-generated if stat types are models, else manually added)

and then combine them in a group. The assign users this group. Now matching would check the first permission for showing the button, and stats would check for the second permission to show the view.

It is best-practise to assign permissions to groups and not users directly, meaning this would not make the "permission-giving" harder or more complicated.