permissions - Using django admin, how can I make sure users can only access objects they own? -
i'm trying build selfservice website using django admin. user shall able edit own data. can make sure can retrieve own records way:
# admin.py class personaldataadmin(admin.modeladmin): model = personaldata exclude = ('data_confirmed',) list_display = ('first_name', 'last_name', 'email') def get_queryset(self, request): qs = super(personaldataadmin, self).get_queryset(request) if request.user.is_superuser: return qs return qs.filter(user=request.user)
what saving though? in order view show in admin interface, user need rights change entries of personaldata. how can check when receiving post request, object belong user? think need implement modelform this:
class persondataform(modelform): pass
and add personaldataadmin. overwrite clean() or save() method. right way go? case there 1 record per user possible skip change list view , link directly change view?
i go overriding
modeladmin.has_change_permission(request, obj=none)
where can change request.user versus object. see related modeladmin.has_*_permission()
methods.
for restring viewing of objects, check:
Comments
Post a Comment