Stage 2 — Querysets and permissions ===================================== Goal ---- Scope which rows a user can reach with :py:meth:`~djmvc.ModelController.get_queryset`. List and detail already use Django's ``view`` permission by default (stage 0). Model ----- .. literalinclude:: ../../src/djmvc_example/stage2/models.py Controller and registration --------------------------- .. literalinclude:: ../../src/djmvc_example/stage2/djmvc.py ``get_queryset`` limits non-superusers to documents they own. Grant ``view_document`` for read access; ``delete_document`` for bulk delete on owned rows. Try it ------ Visit `http://localhost:8000/document/ `_. Create two users and documents with different owners. Each user sees only their rows; detail and bulk delete ignore out-of-scope primary keys. Tests ----- `tests/test_stage2.py on GitHub `_