When checking permissions, Fastview will first check the permission defined on the view,
and then the permission on the viewgroup. If neither are set, it defaults to permission
Denied
.
To override this you can subclass the view and set permission
directly:
from fastview.permissions import Login class NewBlog(CreateView): permission = Login()
Or reconfigure the view when defining the ViewGroup:
class Blog(ViewGroup): create_view = CreateView.config(permission=Login())
If you want to reconfigure the base ViewGroup's view for this attribute, you can also use a dict:
class Blog(ViewGroup): create_view = dict(permission=Login()) # Equivalent to: # create_view = ViewGroup.create_view.config(permission=Login())
You can set the viewgroup permission with the default permission
, which will apply
to any view which doesn't have its own permission:
class Blog(ViewGroup): permission = Login()
Fastview provides the following permissions:
Nobody can access. This is the default.
Everyone can access
The current user must be logged in
The current user must be staff
The current user must be a superuser
For model views: use Django's permission framework.
For example, to see if the user has been given the permission blog.add_blog
you
would use:
class MyView(..): permission = Django("add")
For model views: user must be the owner of the object
owner_field
specifies the field name referencing the user who owns the instance
For example:
class Item(models.Model): title = models.CharField(max_length=255) author = models.ForeignKey(settings.AUTH_USER_MODEL, on_delete=models.CASCADE) class ItemViewGroup(ViewGroup): delete_view = dict( permission=Owner("author") )
will mean the current user can only delete an Item
if they are set as the
author
.
Permissions can be combined with AND, OR and NOT operators (using the same syntax as
Django Q
objects):
Staff() | Owner("owner")
- either staff or the ownerStaff() & Owner("owner")
- only the owner, and only if they are staffStaff() & ~Owner("owner")
- staff who are not the owner
Complex permissions which need to be used in several places can be assigned to variables:
staff_not_owner = Staff() & ~Owner("owner") class Blog(ViewGroup): update_view = dict(permission=staff_not_owner) delete_view = dict(permission=staff_not_owner)
To write a custom permission, subclass fastview.permissions.Permission
and implement
your own check()
and filter_q()
methods.