Home/ Questions/Q 8035427
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-05T02:18:18+00:00

My current project involves a legacy codebase which makes use of Django’s models in

  • 0

My current project involves a legacy codebase which makes use of Django’s models in a limited way; syncdb isn’t being used (i.e., the model is not Django-managed). I need to restrict access to certain columns based on permissions (i.e. a view_all permission will show all of the columns, while no permission will restrict the user to a few basic columns). This permission will apply to different tables.

The way I am thinking of doing this is to simply use SQL to insert a new auth_permission. However, this is complicated by the content_type_id column: my understanding is that a content type applies to one model, and this (as I said) will need to apply to different tables, and I can’t reliably run syncdb.

Has anyone else implemented something along these lines? Did you use the Django infrastructure, or did you end up using a separate table for safety? Did you implement this at the signal level, or at each point where the model is used?

Thanks!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    It sounds to me like you are actually looking for permission groups. They can be easily created model independently. The user groups wouldn’t need to contain any actual permissions.

    You can check if a user is in a specific group:

    def user_in_group(user, group_name):
    return user.groups.filter(name=group_name).count()

    You could use it like this:

    def my_view(request):
    if user_in_group(request.user, 'view_all'):
        # do the things
    else:
        # do the other things

# limit this view to 'view_all' users
@user_passes_test(lambda u: user_in_group(u, 'view_all'))
def my_other_view(request):
    # and do some more things

    I don’t know what you mean with

    Did you implement this at the signal level, or at each point where the
    model is used?

    Obviously with any authorization method you would need to insert checks wherever a model is viewed and insert logic to show only the permitted columns (like rendering a subset of columns in a template).

    To make sure that no wrong columns are accessed you could write proxy classes that limit access to the apropriate fields/columns and use proxy instances instead of model instances.

    class SomeModelProxy(object):
    def __init__(self, model_instance, user):
        self.instance = model_instance
        self.user = user

    def save(self, *args, **kwargs):
        self.instance.save(*args, **kwargs)

    # define other methods that are needed...

    def __getattr__(self, name):
        if not name in get_allowed_columns_for_user_somehow(self.user):
            raise AttributeError

        return getattr(self.instance, name)

    def __setattr__(self, name, value):
        if not name in get_allowed_columns_for_user_somehow(self.user):
            raise AttributeError

        setattr(self.instance, name, value)
    • 0