I have problems configuring user permissions. I would like to allow users to add files to a folder and edit and delete their own files. For this I have configured such permissions for a group blogger:
Folder: 'Blog images (misc)'->this item and all children [can_read, can_add_children] [Group: bloggers]
But deleting does not work unless I add also general filer | file | Can delete file. But this means this user (group) have permissions to delete any file, not just those owner by her.
filer | file | Can delete file
Bump? Should I make a test case for this too?
ahh. I see the problem. Django calls user.has_perm('filer.delete_image') and user.has_perm('filer.delete_file') in django.contrib.admin.util.
This circumvents our usual custom permission logic. What we have to do is provide our own AuthenticationBackend to support this kind of permission checking.
But, as far as I can tell, there is also bug in django. It checks for the global permission instead of passing in the obj. It should be user.has_perm(p, obj) not user.has_perm(p).