Reputation: 7384
How automatic is the Django permission on models?
I am currently practicing the permission modules of Django
These are my models:
from django.db import models
# Create your models here.
class School(models.Model):
name = models.CharField(max_length=100)
address = models.TextField()
def __unicode__(self):
return self.name
class Teacher(models.Model):
school = models.ForeignKey(School)
first_name = models.CharField(max_length=50)
middle_name = models.CharField(max_length=50)
last_name = models.CharField(max_length=50)
def name(self):
return '{0} {1} {2}'.format(self.first_name,
self.middle_name,
self.last_name)
def __unicode__(self):
return self.name()
class Section(models.Model):
"""
This model must only be manipulated by its respective teacher
"""
teacher = models.ForeignKey(Teacher)
name = models.CharField(max_length=100)
def __unicode__(self):
return self.name
class Student(models.Model):
"""
This model must only be manipulated by its respective teacher
"""
section = models.ForeignKey(Section)
first_name = models.CharField(max_length=50)
middle_name = models.CharField(max_length=50)
last_name = models.CharField(max_length=50)
def name(self):
return '{0} {1} {2}'.format(self.first_name,
self.middle_name,
self.last_name)
def __unicode__(self):
return self.name()
class Subject(models.Model):
"""
This model must only be manipulated by its respective student
"""
student = models.ForeignKey(Student)
name = models.CharField(max_length=50)
code = models.CharField(max_length=50)
def __unicode__(self):
return self.name
And in my django-admin I created groups like:
principal # Can change, add and delete Teacher Model
teacher # Can change, add and delete Student and Section Model
school_admin # Can change, add and delete School Model
student # Can change, add and delete Subject Model
In my views.py, I tried authenticating and logging-in a user then logging-in user that has a teacher group then creating a School object like:
def index(request):
template = 'login.html'
user = request.user
login_form = LoginForm(request.POST or None)
context_dict = {'login_form': login_form}
if user.is_authenticated():
groups = user.groups
print 'User:'
print user
if groups.filter(name='teacher').exists():
print 'Teachers'
# The code below will save even though it is not in its permission
School.objects.create(name='DPS', address='Some Address')
return HttpResponse("Login")
if request.method == 'POST':
if login_form.is_valid():
username = login_form.cleaned_data['username']
password = login_form.cleaned_data['password']
# print (login_form.cleaned_data)
# user = authenticate(username=username, password=password)
user = authenticate(email=username, password=password)
if user is not None:
if user.is_active:
login(request, user)
return HttpResponseRedirect('/')
else:
return HttpResponse("Wrong Username Password")
return render(request, template, context_dict)
The School object got created.. But I expected it to not be created because the logged-in user does not have the permission to create School objects.. Am I missing something to enable what I'm expecting without doing much coding? Or do I really have to put a conditional statement with the use of Groups and Permissions manually on the views?
Upvotes: 0
Views: 219
Answers (1)
Reputation: 1571
I believe the line
School.objects.create(name='DPS', address='Some Address')
is an independent expression. As long as it passed the teacher filter, it will execute in the code because it has no idea about the context or the permission. You can simply use conditionals to achieve what you want.
Upvotes: 1
Related Questions
- Understanding Model Permissions in Django 3.1
- django permissions not being respected
- Django Models and Permission Restrictions
- How does Djangos user permissions work?
- Model and Permissions
- Understanding django permissions
- Django. Permissions to model instance?
- Django: Permissions based on Model Instance
- Django permissions
- object-level permissions django