django-object-permissions Vs django-guardian Vs django-authority

孤街醉人 提交于 2019-11-29 22:13:47

I'll start this by saying we use none of these for object level permission - we use our own custom method and I really wish we hadn't. If you can avoid object level permissions at all, do so, they are a pain to organise.

This is how I evaluate the 3 apps you've mentioned.

Active Development:

  1. django-guardian (1 week ago)
  2. django-object-permissions (1 year ago)
  3. django-authority (nearly 2 years ago)

API

  1. django-guardian (save an instance of a defined model)
  2. django-object-permissions (register permissions)
  3. django-authority (define classes)

The above are in order by the way.

I'd recommend guardian purely on API alone, but the fact that it is still being developed where the others aren't usually means a big win.

As for Aug '13, django-object-permissions has been superseded by django-permission. The 3 projects are on active development.

Personally, I prefer authority or permission, which uses methods for checking permissions (runtime), rather than django-guardian which uses database to keep the permissions (attached upon object creation, f.e.).

-- EDIT --

Examples from the docs.

django-guardian

joe = User.objects.create(username='joe')
task = Task.objects.create(summary='Some job', content='', reported_by=boss)
joe.has_perm('view_task', task)
>> False
assign_perm('view_task', joe, task)
joe.has_perm('view_task', task)
>> True

You assign the permission and keep it in database.

django-authority

Declaration:

class FlatpagePermission(permissions.BasePermission):
    label = 'flatpage_permission'
    checks = ('morning_flatpage_check',)

    def morning_flatpage_check(self, flatpage):
        hour = int(datetime.datetime.now().strftime("%H"))
        if hour >= 8 and hour <= 12 and flatpage.url == '/about/':
            return True
        return False

authority.register(Flatpage, FlatpagePermission)

Usage:

def my_view(request):
    check = FlatPagePermission(request.user)
    flatpage_object = Flatpage.objects.get(url='/homepage/')
    if check.morning_flatpage_check(flatpage=flatpage_object):
        print "Yay, you can change *this* flatpage!"

It also wraps standard django permissions, but you can see the flexibility in the above custom permission which -AFAIK- you cannot do in guardian.

Common Usecase

A Student can belong to Classroom(s).

guardian:

  1. When Student is assigned to new Classroom, attach permission 'attend_classroom' to Student over Classroom object.
  2. When Student is removed from Classroom, remove 'attend_classroom' permission to Student over Classroom object.
  3. When accessing Classroom, check 'attend_classroom' permission.

authority:

  1. Define custom permission ClassroomPermission.can_attend_classroom(), which will query if Student belongs to Classroom.
  2. When accessing Classroom, check ClassroomPermission.can_attend_classroom()

Authority keeps the checking logic in a separate file. Guardian needs attach/detaching permissions though the rest of the code.

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!