Environment
- Python version: 3.7
- MrMap version: v0.0.0
Proposed Functionality
The built in django permission handling should be enhanced by a object level permission handling from django-guardian.
Use Case
security benefit
Since #52, the permission handling is only model based. For example, a user could delete a group if he has the structure.remove_mrmapgroup permission in any case. We need also permission handling on object level. This means a user shall only be able to delete a group, if he has specific permissions for this specific group.
filter querysets benefit
With the PermissionListMixin the user will only see object for that he has permissions.
Database Changes
External Dependencies
django-guardian
Environment
Proposed Functionality
The built in django permission handling should be enhanced by a object level permission handling from django-guardian.
remove get_services()
remove get_services_as_qs()
remove get_metadatas_as_qs()
remove get_datasets_as_qs()
implement PermissionListMixin for all
ListViewschange from django PermissionRequiredMixin to PermissionRequiredMixin
Use Case
security benefit
Since #52, the permission handling is only model based. For example, a user could delete a group if he has the
structure.remove_mrmapgrouppermission in any case. We need also permission handling on object level. This means a user shall only be able to delete a group, if he has specific permissions for this specific group.filter querysets benefit
With the PermissionListMixin the user will only see object for that he has permissions.
Database Changes
add signals to create permissions on object creation
implement dependency workflow on delete group with the following options:
If a group has dependencies (objects created_by the group), the group can not be deleted. The user will be forced to decide what to do with his objects. Two options:
External Dependencies
django-guardian