django permissions not being respected
I am trying to show a button if the logged in user has the right permissions.
The code in the template:
{% if perms.django_apo_training.can_add %}
<a href="{% url 'training:trainee_add' %}">
<button type="button" class="btn btn-success">Add Trainee</button>
</a>
{% endif %}
I can print to the webpage to debug what the permissions the user has:
<p> {{ perms.django_apo_training }} </p>
It shows:
{'training.view_trainee', 'training.add_trainee', 'training.delete_trainee', 'training.change_trainee'}
but
perms.django_apo_training.can_add
always returns false, not sure what what I am missing?
Even double checked in the admin console:
(if I grant super user status to the the user in question, then the if statement works and returns true?)
Here is the model for the trainee stuff
# Create your models here.
class Trainee(models.Model):
objects = models.Manager()
first_name = models.CharField(max_length=200)
last_name = models.CharField(max_length = 200)
institution = models.CharField(max_length=200, blank=True)
contact_phone = models.CharField(max_length=50, blank=True)
contact_email = models.CharField(max_length=100, blank=True)
trained_date = models.DateField('date trained')
class Meta:
ordering = ['institution']
def __str__(self):
return "Trainee: " + str(self.first_name) + " " + str(self.last_name) + " " + str(self.institution)
Secondly... even once this works, how do I make sure that only those with that permission and logged in can get to (it is a lot more than an @login required decorator)
http://localhost:8000/training/add/
Lastly : I have also created model to extend the user model using the one-to-one model:
user = models.OneToOneField(User, on_delete=models.CASCADE)
Inside this APOUser model I call it, I have other fields that I would love to key off of for these permissions (specifically what is contained in the on_site_status), is there some set way or example/recipe of how one might do that?
(the full model is here)
class APOUser(models.Model):
objects = models.Manager()
user = models.OneToOneField(User, on_delete=models.CASCADE)
institution = models.ForeignKey("mainpage.Institution", on_delete=models.SET_NULL, null=True)
on_site_status = models.ForeignKey("mainpage.SiteStatus", on_delete=models.SET_NULL, null=True)
refer_to_as = models.TextField(max_length = 30, blank=True, null=True) #if the above is custom
room_preference = models.ForeignKey("housing.Room", on_delete=models.SET_NULL, null=True)
The standard permissions created follow the format <app_label>.view_<model_name>. So in the product app with the following models a total of 8 permissions will be automatically created.
class Category(models.Model):
...
class Product(models.Model):
...
# permissions for the Category model
'product.view_category'
'product.add_category'
'product.change_category'
'product.delete_category'
# permissions for the Product model
'product.view_product'
'product.add_product'
'product.change_product'
'product.delete_product'
In your example perms.django_apo_training.can_add will always return False because there is no permission can_add - unless you have a model called Add and have created a custom permission. The correct pattern should be perms.training.add_training.
It's also important to note that checking the permissions for a superuser will always return True even if the permission does not exist.
For protected views with permissions and custom user fields you can subclass UserPassesTestMixin.
from django.contrib.auth.mixins import UserPassesTestMixin
def permissions_check(user):
approved_profile_status = ['ADMIN', 'PURCHASER']
permission = 'training.add_trainee'
is_approved = user.profile.on_site_status in approved_profile_status
has_perm = user.has_perm(permission)
return is_approved or has_perm
class PermissionsMixin(UserPassesTestMixin):
def test_func(self):
return permissions_check(self.request.user)
class TraineeListView(PermissionsMixin, ListView):
...
- Django CSRF Cookie Not Set
- Display encoded video frames using React and Django
- Exception Value:failed to find libmagic. Check your installation in windows 7
- Why isn't a nested-dot lookup evaluating in this Django template?
- Updating quantity in javascript
- Django one of 2 fields must not be null
- Django form field label translations
- Django form: what is the best way to modify posted data before validating?
- Django RestFramework make lookup_field accept special characters (".")
- creating a category system with MVT in django
- CSRF Failed: Origin checking failed - http://localhost:8000/ does not match any trusted origins
- How to save data into two related tables in Django?
- Django ModelDiffMixin: Maximum recursion depth exceeded
- Reverse Serializing Many to Many Relations Causes RecursionError
- django.db.utils.ProgrammingError: column "role" of relation "APP_profile" does not exist
- How can I enable CORS on Django REST Framework
- Display JavaScript Fetch for JsonResponse 2 Tables on HTML
- Django table reduce text when larger then cell size
- Get Image Field Absolute Path in Django Rest Framework - Non Request Flows
- Use JSON data in Django fields
- Why isn't my form data inserted into the database?
- Custom 404 and 500 pages in django with -> DEBUG = True
- If only CI fails, what kind of trouble could there be for django?
- In Django CI, githubactions try to another database for testing
- How to arbitrarily nest some data in a django rest framework serializer
- Submit button doesn't refresh page and send POST request
- selenium: Max retries exceeded with url
- Getting Django admin url for an object
- How can I annotate my Django queryset with a count of related objects
- Change ModelSerializer field key with function