list permissions

Containers should be filtered based on object permissions

added ~348 label

I have a model:

class JobOffer(models.Model):
    author = models.ForeignKey("Member", on_delete=models.CASCADE)
    title = models.CharField(max_length=255, blank=True, null=True)
    description = models.CharField(max_length=255, blank=True, null=True)
    skills = models.ManyToManyField("Skill", blank=True)

    class Meta:
        permissions = (
            ('view_joboffer', 'Read'),
            ('control_joboffer', 'Control'),
        )

    def __str__(self):
        return '{} ({})'.format(self.title, self.author.user.get_full_name())

served by a url: url(r'^job-offers/', LDPViewSet.urls(model=JobOffer, nested_fields=["skills"])),

In the INSTALLED_APPS, I have included:

    'oidc_provider',
    'guardian',

And I have the authentication activated: AUTHENTICATION_BACKENDS = ['django.contrib.auth.backends.ModelBackend', 'guardian.backends.ObjectPermissionBackend']

I created 2 job offers and 1 users with all permissions on one job offer, but not the other.

When I go on http://localhost:8000/job-offers/ logged in as my user, I can see both job offers, even the one on which I can see I have no permissions.

I should only see the objects on which I have permissions.

To edit the permissions on an object, you should have this admin.py:

from .models import JobOffer
from guardian.admin import GuardedModelAdmin

admin.site.register(JobOffer, GuardedModelAdmin)

The view is throwing errors from user of super() (with no arguments) - so it turns out this is python 3 only code. I can make it python 2 compatible (a lot of linux systems come with 2.x installed - or did as of last year )

so i installed a virtualenv under python3

only to finf django 1.11 doesnt work with python 3.7

so installed a new virtualenv with python3.6

finally got it running again...

currently up to this - need to configure more stuff

http://localhost:8000/job-offers/

=> .... Exception Type: ImproperlyConfigured at /job-offers/ Exception Value: Could not resolve URL for hyperlinked relationship using view name "member-detail". You may have failed to include the related model in your API, or incorrectly configured the lookup_field attribute on this field.

By Rob on 2018-10-19T07:12:59 (imported from GitLab project)

Oh yes sorry I realized yesterday that Django 1.11 wasn't compatible with python 3.7. We'll have to stick to Python 3.6.

The error you get is because you include in your object representation a link to a member. As it has to be represented in json-ld, it needs to be represented as a url. So Django Rest Framework requires a url in urls.py. You can either exclude the member from your object representation (exclude=['member'] in the url line) or add a new url line with members (url(r'^members/', LDPViewSet.urls(model=Member)),).

OK I have read as much as i can find on this, and I think we have three interacting issues here:

1. We should not need to set model permissions for users to use object permissions - so a conceptual challenge
2. following on from this, access to individual objects works only if model permissions also set
3. lists ignore object permissions in DRF - and if we set model permissions then object permissions are overridden - the recommended way of filtering lists doesnt work (model permissions are more permissive)

This seems to address the missing glue: https://github.com/rpkilby/django-rest-framework-guardian

so I will experiment with that and see how it behaves.

By Rob on 2018-10-22T23:01:47 (imported from GitLab project)

mentioned in commit 4884499e

By Rob on 2018-10-22T23:15:54 (imported from GitLab project)

mentioned in merge request !3 (merged)

By Rob on 2018-10-22T23:17:45 (imported from GitLab project)

fix proposed - please test and verify - if it still requires model level permissions however, which I remain unconvinced about - and if truly necessary then this ought to be automated rather than an extra manual step to set up.

By Rob on 2018-10-22T23:19:47 (imported from GitLab project)

mentioned in commit 2c88d78c

Thanks, it looks good! I agree that this system is not ideal, but that solves the pain point we have in the short run. We'll keep setting the user's model permissions for now, and we'll look for a solution later.

How do you feel about this project so far? Are you up for the next challenge?

Can we close this now?

By Rob on 2018-11-01T21:37:44 (imported from GitLab project)

Yes, works great!

closed

reopened

Is it still working? To be checked.

assigned to @Atkinson

assigned to @thibaud and unassigned @Atkinson

mentioned in merge request !11 (merged)

By Nicolas Mérigot on 2019-01-22T09:19:23 (imported from GitLab project)

closed

By Thibaud on 2019-01-23T14:10:34 (imported from GitLab project)