New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Missing decorator for views? #12
Comments
How would the decorator know which model to use |
@dfunckt Thanks for the reply. Yes, the first implementation I can think of would fetch the object from the database and pass it to I'm just saying that having:
in every view, sounds like it's going against the DRY principle. I'm open to other solutions if you have any. |
In principle, I’m all for adding such a decorator. The implementation is indeed tricky though and I’m not sure it can be generic enough and cover all edge cases. I have several questions:
What do you think? How do other projects implement this kind of decorators? |
It sounds reasonable to require some sort of convention on the argument name.
Well, suddenly passing an object would break a lot of things; so I guess we should discard the object and pass a
I think that there are a lot of issues. I've never seen any project trying to solve the same problem. I'll think about it for a while and then tell you my best guess. Before I do that, am I missing something obvious? Is, currently, the only way to enforce object permissions:
, inside a view? |
Yes, for function-based views this is what you have to do. You could use class-based views and implement a mixin specifically for what you need, but that's a totally different way of doing things. I'll leave the issue open as the decorator is something I'd like to see in rules. Think over it, and let me know of any ideas you might have. |
I haven't found anything satisfying yet. The main problem I see is the repetition of what you do inside that
Which is suboptimal but slightly better than an The signature is basically:
The "fetcher" function can of course be just defined once and used in multiple places:
and then used as:
See if you can go somewhere with this. I'll let you know if something else comes up by the end of the week. What I don't like about this solution is that the "fetcher" is not generic enough, it's coupled with the request and the order of the arguments of the specific view. |
Hi @Jefffrey, passing in a callable seems like the most flexible solution and would be indeed useful to support this. We should however, also provide some simple solution for the general case, similar to what we discussed above. Guardian implements a similar decorator to what we need. I will also have a dab at this this weekend. |
I agree. Guardian's solution using tuples is probably the best for most cases. |
Django guardian uses something similar: https://django-guardian.readthedocs.org/en/v1.2/userguide/check.html#using-decorators though it does kind of awkward... |
Fixed in 96e1212. Documentation forthcoming. |
In the documentation it's not specified how to limit a view to users that have object based permissions. Just like normally we can do:
I think that we should be able to somehow take incoming object IDs arguments and automatically block the request if the user does not meet the requirements.
For example, something along the lines of:
What do you think?
The text was updated successfully, but these errors were encountered: