Permalink
Browse files

Fixed #36 - added user_can_access_owned_objects_only flag to GuardedM…

…odelAdmin
  • Loading branch information...
1 parent 25b5019 commit 4c7960543f0393a555a841dd89513dbc635bdf45 @lukaszb lukaszb committed Jun 16, 2011
Showing with 66 additions and 1 deletion.
  1. +27 −0 guardian/admin.py
  2. +39 −1 guardian/tests/admin_test.py
View
@@ -61,6 +61,23 @@ class GuardedModelAdmin(admin.ModelAdmin):
*Default*: ``admin/guardian/model/obj_perms_manage_group.html``
+ ``GuardedModelAdmin.user_can_access_owned_objects_only``
+
+ *Default*: ``False``
+
+ If this would be set to ``True``, ``request.user`` would be used to
+ filter out objects he or she doesn't own (checking ``user`` field
+ of used model - field name may be overridden by
+ ``user_owned_objects_field`` option.
+
+ .. note::
+ Please remember that this will **NOT** affect superusers!
+ Admins would still see all items.
+
+ ``GuardedModelAdmin.user_owned_objects_field``
+
+ *Default*: ``user``
+
**Usage example**
Just use :admin:`GuardedModelAdmin` instead of
@@ -87,6 +104,16 @@ class AuthorAdmin(GuardedModelAdmin):
'admin/guardian/model/obj_perms_manage_user.html'
obj_perms_manage_group_template = \
'admin/guardian/model/obj_perms_manage_group.html'
+ user_can_access_owned_objects_only = False
+ user_owned_objects_field = 'user'
+
+ def queryset(self, request):
+ qs = super(GuardedModelAdmin, self).queryset(request)
+ if self.user_can_access_owned_objects_only and \
+ not request.user.is_superuser:
+ filters = {self.user_owned_objects_field: request.user}
+ qs = qs.filter(**filters)
+ return qs
def get_urls(self):
"""
@@ -3,9 +3,11 @@
from django import forms
from django.conf import settings
from django.contrib import admin
+from django.contrib.admin.models import LogEntry
from django.contrib.auth.models import User, Group
from django.contrib.contenttypes.models import ContentType
from django.core.urlresolvers import reverse
+from django.http import HttpRequest
from django.test import TestCase
from django.test.client import Client
@@ -85,7 +87,6 @@ def test_view_manage_negative_user_form(self):
self.obj_info, args=[self.obj.pk, self.user.id])
self.assertEqual(response.request['PATH_INFO'], redirect_url)
-
def test_view_manage_user_form_wrong_user(self):
self._login_superuser()
url = reverse('admin:%s_%s_permissions' % self.obj_info,
@@ -312,6 +313,43 @@ def test_obj_perms_manage_group_form_attr(self):
gma = self._get_gma(attrs=attrs)
self.assertTrue(gma.get_obj_perms_manage_group_form(), forms.Form)
+ def test_user_can_acces_owned_objects_only(self):
+ attrs = {
+ 'user_can_access_owned_objects_only': True,
+ 'user_owned_objects_field': 'user',
+ }
+ gma = self._get_gma(attrs=attrs, model=LogEntry)
+ joe = User.objects.create_user('joe', 'joe@example.com', 'joe')
+ jane = User.objects.create_user('jane', 'jane@example.com', 'jane')
+ ctype = ContentType.objects.get_for_model(User)
+ joe_entry = LogEntry.objects.create(user=joe, content_type=ctype,
+ object_id=joe.id, action_flag=1, change_message='foo')
+ LogEntry.objects.create(user=jane, content_type=ctype,
+ object_id=jane.id, action_flag=1, change_message='bar')
+ request = HttpRequest()
+ request.user = joe
+ qs = gma.queryset(request)
+ self.assertEqual([e.pk for e in qs], [joe_entry.pk])
+
+ def test_user_can_acces_owned_objects_only_unless_superuser(self):
+ attrs = {
+ 'user_can_access_owned_objects_only': True,
+ 'user_owned_objects_field': 'user',
+ }
+ gma = self._get_gma(attrs=attrs, model=LogEntry)
+ joe = User.objects.create_superuser('joe', 'joe@example.com', 'joe')
+ jane = User.objects.create_user('jane', 'jane@example.com', 'jane')
+ ctype = ContentType.objects.get_for_model(User)
+ joe_entry = LogEntry.objects.create(user=joe, content_type=ctype,
+ object_id=joe.id, action_flag=1, change_message='foo')
+ jane_entry = LogEntry.objects.create(user=jane, content_type=ctype,
+ object_id=jane.id, action_flag=1, change_message='bar')
+ request = HttpRequest()
+ request.user = joe
+ qs = gma.queryset(request)
+ self.assertItemsEqual([e.pk for e in qs], [joe_entry.pk, jane_entry.pk])
+
+
class GrappelliGuardedModelAdminTests(TestCase):
org_settings = copy.copy(settings)

0 comments on commit 4c79605

Please sign in to comment.