As a developer, I can make permission object filtering chainable

[fao89]

Author: @bmbouter (bmbouter)

Redmine Issue: 9613, https://pulp.plan.io/issues/9613

---

Motivation

As a developer with the new Roles facilities in pulpcore==3.17, you likely will want to filter by permissions with something like this example taken from this PR.

current_user = get_current_authenticated_user()
qs = Task.objects.filter(finished_at__lt=finished_before, state__in=states)
units_deleted, details = get_objects_for_user(current_user, "core.delete_task", qs=qs).delete()

As you can see, this needs to determine who the current user is, and you can't build the queryset in one go by using chaining.

Proposal

Introduce a with_perm chainable call on all querysets for Pulp objects. It could be used like this:

• qs.with_perm("core.task_delete")
• qs.with_perm("core.task_delete", "core.task_view")
• qs.with_perms(["core.task_delete", "core.task_view"])
• qs.with_perm("core.task_delete").with_perm( "core.task_view")

[fao89]

From: @gerrod3 (gerrod)
Date: 2021-12-07T19:23:50Z

---

I think it should be mentioned that with_perms will probably call get_authenticated_user implicitly for the permission check. In that case we should probably create our own custom version that can be ran in tasks outside of a django view. Or we would need to make a rule to do all queryset permission checks inside a view before handing off to a task.

[fao89]

From: @mdellweg (mdellweg)
Date: 2021-12-08T07:54:58Z

---

If we want to allow both of these syntaxes, we should specify, whether one or all of the permissions are needed:
qs.with_perm("core.task_delete", "core.task_view")
qs.with_perms(["core.task_delete", "core.task_view"])

[stale]

This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!