I've found 3 row-level permission solutions for Django 1.2+
Could someone tell if there is any recommended more than the others, what are their main differences, etc.?
I've found 3 row-level permission solutions for Django 1.2+
Could someone tell if there is any recommended more than the others, what are their main differences, etc.?
I'll start this by saying we use none of these for object level permission - we use our own custom method and I really wish we hadn't. If you can avoid object level permissions at all, do so, they are a pain to organise.
This is how I evaluate the 3 apps you've mentioned.
Active Development:
API
The above are in order by the way.
I'd recommend guardian purely on API alone, but the fact that it is still being developed where the others aren't usually means a big win.
As for Aug '13, django-object-permissions has been superseded by django-permission. The 3 projects are on active development.
Personally, I prefer authority or permission, which uses methods for checking permissions (runtime), rather than django-guardian which uses database to keep the permissions (attached upon object creation, f.e.).
-- EDIT --
Examples from the docs.
joe = User.objects.create(username='joe') task = Task.objects.create(summary='Some job', content='', reported_by=boss) joe.has_perm('view_task', task) >> False assign_perm('view_task', joe, task) joe.has_perm('view_task', task) >> True
You assign the permission and keep it in database.
Declaration:
class FlatpagePermission(permissions.BasePermission): label = 'flatpage_permission' checks = ('morning_flatpage_check',) def morning_flatpage_check(self, flatpage): hour = int(datetime.datetime.now().strftime("%H")) if hour >= 8 and hour <= 12 and flatpage.url == '/about/': return True return False authority.register(Flatpage, FlatpagePermission)
Usage:
def my_view(request): check = FlatPagePermission(request.user) flatpage_object = Flatpage.objects.get(url='/homepage/') if check.morning_flatpage_check(flatpage=flatpage_object): print "Yay, you can change *this* flatpage!"
It also wraps standard django permissions, but you can see the flexibility in the above custom permission which -AFAIK- you cannot do in guardian.
A Student can belong to Classroom(s).
guardian:
'attend_classroom'
to Student over Classroom object.'attend_classroom'
permission to Student over Classroom object. 'attend_classroom'
permission.authority:
ClassroomPermission.can_attend_classroom()
, which will query if Student belongs to Classroom.ClassroomPermission.can_attend_classroom()
Authority keeps the checking logic in a separate file. Guardian needs attach/detaching permissions though the rest of the code.