Controlling Django auth user access to specific object instances

Question

In my Django project, I have various users created by Django\'s built-in authentication system. Each user can create their own instances of the App model. I would

Answer 1

I would put the form submission in a different view and write a custom decorator, which you could also use for similar issues. I would also return a 404 instead of access denied. You might not want to show users that you are protecting something.

Answer 2

There is a decorator called user_passes_test that restricts access to a view based on if the user passes a certain check

from django.contrib.auth.decorators import login_required, user_passes_test

@login_required
@user_passes_test(lambda user: user.username == app.user.user.id)
MyView(request):
    ...

You can also add in an optional argument for a url to redirect to in the event they fail the check.

Trying to do this from the admin page is also pretty easy, but takes a few extra steps.

Docs Here

Answer 3

This is called row-level permissions and it's a very common problem. See here for all the apps that solve it.

If that particular test is all you need to do, go for a custom solution like yours (though, since it's boilerplate, it's preferable to move it to a decorator). Otherwise, just use an existing app.