Remove (or hide) default Permissions from Django

Question

I\'m developing a Django app that will have two administration backends. One for daily use by \"normal\" users and the default one for more advanced tasks and for the developers

Answer 1

UPDATE: Django 1.7 supports the customization of default permissions

Original Answer

The following is valid for Django prior to version 1.7

This is standard functionality of the auth contrib application.

It handles the post_syncdb signal and creates the permissions (the standard 3: add, change, delete, plus any custom ones) for each model; they are stored in the auth_permission table in the database.

So, they will be created each time you run the syncdb management command

You have some choices. None is really elegant, but you can consider:

1. Dropping the auth contrib app and provide your own authentication backend.

   Consequences -> you will lose the admin and other custom apps built on top of the auth User model, but if your application is highly customized that could be an option for you

2. Overriding the behaviour of the post_syncdb signal inside the auth app (inside \django\contrib\auth\management__init__.py file)

   Consequences -> be aware that without the basic permissions the Django admin interface won't be able to work (and maybe other things as well).

3. Deleting the basic permissions (add, change, delete) for each model inside the auth_permission table (manually, with a script, or whatever).

   Consequences -> you will lose the admin again, and you will need to delete them each time you run syncdb.

4. Building your own Permission application/system (with your own decorators, middlewares, etc..) or extending the existing one.

   Consequences -> none, if you build it well - this is one of the cleanest solutions in my opinion.

A final consideration: changing the contrib applications or Django framework itself is never considered a good thing: you could break something and you will have hard times if you will need to upgrade to a newer version of Django.

So, if you want to be as clean as possibile, consider rolling your own permission system, or extending the standard one (django-guardian is a good example of an extension to django permissions). It won't take much effort, and you can build it the way it feels right for you, overcoming the limitations of the standard django permission system. And if you do a good work, you could also consider to open source it to enable other people using/improving your solution =)

Answer 2

If you are creating your own user management backend and only want to show your custom permissions you can filter out the default permissions by excluding permission with a name that starts with "Can".

WARNING: You must remember not to name your permissions starting with "Can"!!!! If they decide to change the naming convention this might not work.

With credit to pmdarrow this is how I did this in my project:

from django.contrib.auth.forms import UserChangeForm
from django.contrib.auth.models import Permission
from django.contrib import admin    

class UserEditForm(UserChangeForm):
    class Meta:
        model = User

        exclude = (
                   'last_login',
                   'is_superuser',
                   'is_staff',
                   'date_joined',
                   )

    user_permissions = forms.ModelMultipleChoiceField(
        Permission.objects.exclude(name__startswith='Can'), 
        widget=admin.widgets.FilteredSelectMultiple(_('permissions'), False))

Answer 3

A new feature introduced in Django 1.7 is the ability to define the default permissions. As stated in the documentation if you set this to empty none of the default permissions will be created.

A working example would be:

class Blar1(models.Model):
    id = models.AutoField(primary_key=True)
    name = models.CharField(max_length=255, unique = True, blank = False, null = False, verbose_name= "Name")

    class Meta:
        default_permissions = ()

Answer 4

Built on top of the solution by @pmdarrow, I've come up with a relatively clean solution to patch the Django admin views.

See: https://gist.github.com/vdboor/6280390

It extends the User and Group admin to hide certain permissions.

Answer 5

I struggled with this same problem for a while and I think I've come up with a clean solution. Here's how you hide the permissions for Django's auth app:

from django.contrib import admin
from django.utils.translation import ugettext_lazy as _
from django import forms
from django.contrib.auth.models import Permission

class MyGroupAdminForm(forms.ModelForm):
    class Meta:
        model = MyGroup

    permissions = forms.ModelMultipleChoiceField(
        Permission.objects.exclude(content_type__app_label='auth'), 
        widget=admin.widgets.FilteredSelectMultiple(_('permissions'), False))


class MyGroupAdmin(admin.ModelAdmin):
    form = MyGroupAdminForm
    search_fields = ('name',)
    ordering = ('name',)

admin.site.unregister(Group)
admin.site.register(MyGroup, MyGroupAdmin)

Of course it can easily be modified to hide whatever permissions you want. Let me know if this works for you.

Answer 6

ShadowCloud gave a good rundown. Here's a simple way to accomplish your goal.

Add these line in your admin.py:

from django.contrib.auth.models import Permission
admin.site.register(Permission)

You can now add/change/delete permissions in the admin. Remove the unused ones and when you have what you want, go back and remove these two lines from admin.py.

As was mentioned by others, a subsequent syncdb will put everything back.