Stage 2 — Querysets and permissions¶
Goal¶
Scope which rows a user can reach with
get_queryset(). List and detail already use
Django’s view permission by default (stage 0).
Model¶
from django.conf import settings
from django.db import models
class Document(models.Model):
title = models.CharField(max_length=200)
owner = models.ForeignKey(
settings.AUTH_USER_MODEL,
on_delete=models.CASCADE,
related_name="documents",
)
def __str__(self):
return self.title
Controller and registration¶
import djmvc
from .models import Document
class DocumentController(djmvc.ModelController):
model = Document
icon = 'file-earmark-text'
def get_queryset(self, view):
qs = super().get_queryset(view)
user = view.request.user
if user.is_superuser:
return qs
return qs.filter(owner=user)
djmvc.site.routes.append(DocumentController)
get_queryset limits non-superusers to documents they own. Grant
view_document for read access; delete_document for bulk delete on owned
rows.
Try it¶
Visit http://localhost:8000/document/. Create two users and documents with different owners. Each user sees only their rows; detail and bulk delete ignore out-of-scope primary keys.