Django permissions, code ourselves or use app?

2019-04-08 07:23发布

问题:

This question is (I think) about object/row level permissions in Django.

We are building a community and need to be able to set permissions based on actions that users take. For example, you should not be able to start a thread until you have posted so and so many answers.

Also, the users should be able to remove content that belongs to themselves. Based on the Django documentation, it seems like the standard framework does not support permissions for instances.

Should we build on the "empty" API that Django supplies, or should we use an app for this like django-guardian, django-rules, etc? Which ones would you in that case recommend?

Thank you!

回答1:

you should not be able to start a thread until you have posted so and so many answers.

You don't need to use per-object permissions for that. Actually, you don't need to use permissions for that at all. Just check if user meets the requirements in your views.

Or you can use standard django permissions engine. Create permissions like "Start a Thread", then set up signals to track when users add answers. When singal is emitted check if a user has enough answers and grant him the "Start a Thread" permission.

It's up to you to decide which one works better for you.

Also, the users should be able to remove content that belongs to themselves.

This can be done with per-object permissions. But if it's the only reason to use them then I'd just add a field author to your models and use a simple item.author == request.user check to test if user can delete the item.

So, my general advice is to keep it simple. Analyze your needs. Per-object permissions is a powerful tool which may be an overkill in your situation.



回答2:

I recommend you to go with Django-guardian.

  1. Django-guardian

    Great, DRY, maintained and well-tested app, that solves the issue. As of today, this is the most maintained and actively developed library for implementing per-object permissions.

    We are currently using django-guardian in one of our big projects and are very pleased with stability and functionality.

    Django-guardian source code is very simple and easy to understand because it is built upon the permission code in Django core.

    However, there is a minor issue with Django permissions for proxy models which is not fixed in Django core thus making it really tricky to set permissions (global and per-object alike) for them. One of the ways to overcome this is to declare all permissions in a non-proxy object and query for them every time when you need to check for permission to access a proxy model.

  2. Per-object permission library by OSU Open Source Lab

    It is more of a standalone application than Django-guardian and supports older versions of Django. This app is relatively well maintained. (I personally haven't used it.)

  3. Other solutions form older posts.

    But most of them are poorly maintained.

Of course, if you need to implement only a few minor checks, row-level permissions are overkill, just like Andrey said.