Best IT Recipes

Django-object-permissions Vs django-guardian Vs django-authority

I found 3 row level permissions for Django 1.2+

Can anyone say if there are any recommendations more than others, what are their main differences, etc.?

+30
django django-authentication django-permissions django-apps
Jun 18 '12 at 12:10
source share
2 answers

I will start by saying that we do not use any of them to resolve the level of the object - we use our own method, and I really did not want this. If you can avoid object-level permissions altogether, do it; it's a pain for the organization.

Here's how I rate the 3 apps you mentioned.

Active development:

  • django-guardian (1 week ago)
  • django-object-permissions (1 year ago)
  • django-authority (almost 2 years ago)

API

  • django-guardian (save instance of a specific model)
  • django-object-permissions (registration permissions)
  • django-authority (define classes)

The above are in order, by the way.

I would recommend a guardian solely by API, but the fact that it is still being developed where others usually does not mean a big win.

+24
Jun 18 '12 at 12:28
source share

As of August '13, django-object-permissions has been replaced with django-permission . 3 projects are in active development.

Personally, I prefer permissions or permission, which uses the methods of checking permissions (runtime), rather than django-guardian, which uses the database to store permissions (attached to the creation of the object, fe).

- EDIT -

Examples from the documents.

Django Guardian

joe = User.objects.create(username='joe') task = Task.objects.create(summary='Some job', content='', reported_by=boss) joe.has_perm('view_task', task) >> False assign_perm('view_task', joe, task) joe.has_perm('view_task', task) >> True

You assign permission and store it in the database.

Django power

Declaration:

 class FlatpagePermission(permissions.BasePermission): label = 'flatpage_permission' checks = ('morning_flatpage_check',) def morning_flatpage_check(self, flatpage): hour = int(datetime.datetime.now().strftime("%H")) if hour >= 8 and hour <= 12 and flatpage.url == '/about/': return True return False authority.register(Flatpage, FlatpagePermission)

Using:

 def my_view(request): check = FlatPagePermission(request.user) flatpage_object = Flatpage.objects.get(url='/homepage/') if check.morning_flatpage_check(flatpage=flatpage_object): print "Yay, you can change *this* flatpage!"

It also wraps standard django permissions, but you can see the flexibility in the above user permission, which -AFAIK- you cannot do in the guardian.

Plain Usecase

A student may belong to a class (s).

guardian :

  • When a student is assigned a new class, attach the 'attend_classroom' permission to the Student over Classroom object.
  • When Student is removed from the class, remove the 'attend_classroom' for the Student by class object.
  • When accessing the class, check the 'attend_classroom' permission.

authority :

  • Define the user permission ClassroomPermission.can_attend_classroom() , which will request if Student belongs to the class.
  • When accessing a class, check ClassroomPermission.can_attend_classroom()

Power stores the verification logic in a separate file. Guardian needs connect / disconnect permissions, although the rest of the code.

+17
Aug 19 '13 at 5:18
source share


More articles:


All Articles