Open ezzra opened 5 years ago
Interesting question. I think I was just going for a safe "least privilege" scenario, and thinking of it like a Jira board where a manager controls the lists and staff work on those lists (which has been the case everywhere I've worked). But I can imagine all sorts of permissions / privileges scenarios that are different between projects. The challenge is in tackling that in a clean way that scales to different projects with differently named groups, code that calls a central permissions system without a ton of if/then conditionals all over the place, etc. And I don't have a clear picture in my mind of how that might work. I wouldn't want to dictate the Group names that have to be in place, for example.
The best I can think of would be to have a TODO_PERMISSIONS
dictionary in settings, where keys are privilege names and values are lists of groups:
TODO_PERMISSIONS = {
"can_create_lists": ["Managers", "Coders", "Visitors"],
"can_delete_lists": ["Managers", "Coders"],
"can_complete_tasks": ["Stunt Pilots", "Visitors"],
}
And then have a shared function that returns bool by consulting this mapping against the current user, and finally a template tag to wrap that function. So then you could use things like if can_create_lists: blah blah
either in python or in template code.
Other ideas?
I welcome contributions on this feature, fwiw - let me know if interested.
Related issues: #5, #25 -- Aka, we've talked about this before. :smirk:
@shacker @ezzra how about https://github.com/dfunckt/django-rules ?
I'm a big fan of django-rules, but since todo is a plugin for existing sites, I'm very interested in keeping the number of dependencies as limited as possible. I'll think about it...
Is there a specific reason, why only staff/admin users are allowed to create lists? I would like to allow users to create without having access to admin pages. Is that just a lack of permissions or is there an other reason for this?