Open j4mie opened 3 years ago
Are you using the Django Admin for that project? I hadn't considered the case where someone might have a user account that diverges in this way.
The "edit" mechanism is currently entirely dependent on the Django Admin, though that could change in the future.
I think the way to address this would be to switch over to more of a class-based-view approach to allow people to subclass the dashboard views and implement things like their own custom permissions.
I'm not opposed to doing that, but it's not going to be a priority for a while I imagine.
So yeah, the easiest way to get SQL Dashboard running here would be to spin up a separate app with the Django default user/permissions stuff configured and then point that at the read-only database connection.
See also #113 - feature request for custom auth.
We do use the Django Admin, but we only expose it to internal users (ie devs). We have a single boolean flag is_superuser
which distinguishes users that can log into the Admin from those that can't. We assume that any user that can access the Admin automatically has permission to do anything with any model (hence the has_module_perms
and has_perm
both return True
in the model above).
I imagine this setup isn't all that uncommon - after all the PermissionsMixin
is an optional mixin for custom User
models, so it's likely that plenty of Django users do something like this.
I suppose a CBV approach would be one way of solving this. Or maybe a function-based view factory which allows you to pass in a custom function as an argument that the view uses to get a list of visible dashboards for the current user? django-sql-explorer
solves this sort of thing by putting callback functions in settings, but I always thought that approach was a bit odd.
I just tried to install
django-sql-dashboard
on an internal project and immediately got an error when going to/dashboard/
:After a bit of digging, I discovered that the culprit was this line in
Dashboard.get_visible_to_user
:The last bit there assumes that you have a
User
model which is using the PermissionsMixin (or otherwise has agroups
relationship).In my project, the
User
model is very simple:In other words - users can access
/admin/
if theiris_superuser
flag is set, but otherwise are just logged in and can access everything. I'm not using the Django permissions system at all, really.I'm not sure how to fix this in the general case - could
django-sql-dashboard
somehow detect whether thegroups
relationship exists? Or should it be a setting? Or an entirely custom auth system? Or should I just stop being difficult and install the Django permissions system like everyone else? 🙂