Stage 2 — Querysets and permissions

Goal

Scope which rows a user can reach with get_queryset(). List and detail already use Django’s view permission by default (stage 0).

Model

from django.conf import settings
from django.db import models


class Document(models.Model):
    title = models.CharField(max_length=200)
    owner = models.ForeignKey(
        settings.AUTH_USER_MODEL,
        on_delete=models.CASCADE,
        related_name="documents",
    )

    def __str__(self):
        return self.title

Controller and registration

import djmvc

from .models import Document


class DocumentController(djmvc.ModelController):
    model = Document
    icon = 'file-earmark-text'

    def get_queryset(self, view):
        qs = super().get_queryset(view)
        user = view.request.user
        if user.is_superuser:
            return qs
        return qs.filter(owner=user)


djmvc.site.routes.append(DocumentController)

get_queryset limits non-superusers to documents they own. Grant view_document for read access; delete_document for bulk delete on owned rows.

Try it

Visit http://localhost:8000/document/. Create two users and documents with different owners. Each user sees only their rows; detail and bulk delete ignore out-of-scope primary keys.

Tests

tests/test_stage2.py on GitHub