View and edit permissions for dashboards

[simonw]

The ability to control who can view a dashboard, and who can edit a dashboard at the individual dashboard level.

[simonw]

I'm going to optionally use Django auth groups for this, if they are defined.

I think a select box for "who can view" and a select box for "who can edit" will work. Following options:

• Anyone (available for view but not for edit)
• Only me (effectively private dashboards)
• Logged in users
• Staff users
• Super users
• Users in group X (one option for each group)

[simonw]

I'm going to add six columns to Dashboard for this:

• created_by - foreign key to User
• created_at - datetime
• view_policy - enum
• edit_policy - enum
• view_group - nullable foreign key to Group
• edit_group - nullable foreign key to Group

[simonw]

The policy enums will cover:

• public (not for view, just edit)
• creator
• loggedin_users
• group
• staff
• superusers

[simonw]

Another view permission option: unlisted - available to the public but only if they know the dashboard URL.

These ones won't be shown on the /dashboard/ index page and will have robots SEO exclusion.

[simonw]

Model changes in the admin (I customized the admin fieldsets):

[simonw]

https://github.com/simonw/django-sql-dashboard/blob/cfe3c18f27d4d0f463c163406b7fe9370f7b560a/django_sql_dashboard/models.py#L6-L59

[simonw]

I'm going to change created_by to owned_by since that makes it clear that it's OK for a user to "transfer ownership" of a dashboard to someone else.

[simonw]

Next steps: get the dashboards to obey these permissions, with comprehensive tests. Editing can still happen through the admin interface for the moment.

Dashboards should include a visible note that explains who is allowed to edit or view the dashboard.

[simonw]

The remaining edit work will take place in #44.