Implement object based permissions #63
Assignees
Labels
status: accepted
This issue has been accepted for implementation
type: feature
Introduction of new functionality to the application
Milestone
Comments
jokiefer
added
type: feature
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Environment
Proposed Functionality
The built in django permission handling should be enhanced by a object level permission handling from django-guardian.
remove get_services()
remove get_services_as_qs()
remove get_metadatas_as_qs()
remove get_datasets_as_qs()
implement PermissionListMixin for all
ListViewschange from django PermissionRequiredMixin to PermissionRequiredMixin
Use Case
security benefit
Since #52, the permission handling is only model based. For example, a user could delete a group if he has the
structure.remove_mrmapgrouppermission in any case. We need also permission handling on object level. This means a user shall only be able to delete a group, if he has specific permissions for this specific group.filter querysets benefit
With the PermissionListMixin the user will only see object for that he has permissions.
Database Changes
add signals to create permissions on object creation
implement dependency workflow on delete group with the following options:
If a group has dependencies (objects created_by the group), the group can not be deleted. The user will be forced to decide what to do with his objects. Two options:
External Dependencies
django-guardian
The text was updated successfully, but these errors were encountered: