django’s 1.3 docs say
To enable object permissions in your own authentication backend you’ll just have to allow passing an obj parameter to the permission methods and set the supports_object_permissions class attribute to True.
So I implemented my own authentication backend, set supports_object_permissions = True and defined a def has_perm(self, user_obj, perm, obj=None).
What I would expect now, is that navigating through the admin pages causes that method to be called mutltiple times (which does happen) and also, when I am on a model’s listing site, the obj parameter to be filled with the actual objects. E.g. when I am listing products of a shop, for each of these products that method would get called so I can determine individually if that object shall be displayed and so on.
What actually happens though, is that obj is always None. Am I getting that concept wrong or do I have to anything else so that my actual objects get passed in there?
Django’s default permission system is class level (table level), not row level. In other words, you cannot assign row based (instance based) permissions. This is a limitation on the system.
Projects like django-guardian implement row-level (instance-level) permissions in django. You can find a listing of other permissions projects at the djangopackages.com site.