def queryset(self, request):
"""
Returns a QuerySet of all model instances that can be edited by the
admin site. This is used by changelist_view.
"""
qs = self.model._default_manager.get_query_set()
# TODO: this should be handled by some parameter to the ChangeList.
ordering = self.ordering or () # otherwise we might try to *None, which is bad ;)
if ordering:
qs = qs.order_by(*ordering)
# Filter objects based on can_view permission.
# Superusers can view all objects.
if request.user.is_superuser:
return qs
else:
return utils.limit_queryset_by_permission(
qs=qs,
perm=self.opts.app_label + '.view',
user=request.user,
)
def formfield_for_foreignkey(self, db_field, request=None, **kwargs):
"""
Get a form Field for a ForeignKey.
"""
db = kwargs.get('using')
if db_field.name in self.raw_id_fields:
kwargs['widget'] = widgets.ForeignKeyRawIdWidget(db_field.rel, using=db)
elif db_field.name in self.radio_fields:
kwargs['widget'] = widgets.AdminRadioSelect(attrs={
'class': get_ul_class(self.radio_fields[db_field.name]),
})
kwargs['empty_label'] = db_field.blank and _('None') or None
# Limit queryset by permissions.
kwargs['queryset'] = utils.limit_queryset_by_permission(
qs=db_field.rel.to.objects.all(),
perm=self.opts.app_label + '.view',
user=request.user,
)
return db_field.formfield(**kwargs)
def formfield_for_manytomany(self, db_field, request=None, **kwargs):
"""
Get a form Field for a ManyToManyField.
"""
# If it uses an intermediary model that isn't auto created, don't show
# a field in admin.
if not db_field.rel.through._meta.auto_created:
return None
db = kwargs.get('using')
if db_field.name in self.raw_id_fields:
kwargs['widget'] = widgets.ManyToManyRawIdWidget(db_field.rel, using=db)
kwargs['help_text'] = ''
elif db_field.name in (list(self.filter_vertical) + list(self.filter_horizontal)):
kwargs['widget'] = widgets.FilteredSelectMultiple(db_field.verbose_name, (db_field.name in self.filter_vertical))
# Limit queryset by permissions.
kwargs['queryset'] = utils.limit_queryset_by_permission(
qs=db_field.rel.to.objects.all(),
perm=self.opts.app_label + '.view',
user=request.user,
)
return db_field.formfield(**kwargs)
def test_limit_queryset_by_permission(self):
# Return False if 'view' permission is not found for user.
self.failIf(utils.limit_queryset_by_permission(TestModel.objects.all(), 'view', self.user))
# Return False if 'change' permission is not found for user.
self.failIf(utils.limit_queryset_by_permission(TestModel.objects.all(), 'change', self.user))
# Return False if 'delete' permission is not found for user.
self.failIf(utils.limit_queryset_by_permission(TestModel.objects.all(), 'delete', self.user))
# Return False if 'view' permission is not found for group user.
self.failIf(utils.limit_queryset_by_permission(TestModel.objects.all(), 'view', self.group_user))
# Return False if 'change' permission is not found for group user.
self.failIf(utils.limit_queryset_by_permission(TestModel.objects.all(), 'change', self.group_user))
# Return False if 'delete' permission is not found for group user.
self.failIf(utils.limit_queryset_by_permission(TestModel.objects.all(), 'delete', self.group_user))
# Setup user share.
UserShare.objects.create(
user=self.user,
can_view=True,
can_change=True,
can_delete=True,
content_type=ContentType.objects.get_for_model(self.obj),
object_id=self.obj.id,
)
# Return True if 'view' permission is found for user.
self.failUnless(utils.limit_queryset_by_permission(TestModel.objects.all(), 'view', self.user))
# Return True if 'change' permission is found for user.
self.failUnless(utils.limit_queryset_by_permission(TestModel.objects.all(), 'change', self.user))
# Return True if 'delete' permission is found for user.
self.failUnless(utils.limit_queryset_by_permission(TestModel.objects.all(), 'delete', self.user))
# Group share has not yet been setup, so should all still be unpermitted.
# Return False if 'view' permission is not found for group user.
self.failIf(utils.limit_queryset_by_permission(TestModel.objects.all(), 'view', self.group_user))
# Return False if 'change' permission is not found for group user.
self.failIf(utils.limit_queryset_by_permission(TestModel.objects.all(), 'change', self.group_user))
# Return False if 'delete' permission is not found for group user.
self.failIf(utils.limit_queryset_by_permission(TestModel.objects.all(), 'delete', self.group_user))
# Setup group share.
GroupShare.objects.create(
group=self.group,
can_view=True,
can_change=True,
can_delete=True,
content_type=ContentType.objects.get_for_model(self.obj),
object_id=self.obj.id,
)
# Return True if 'view' permission is found for group user.
self.failUnless(utils.limit_queryset_by_permission(TestModel.objects.all(), 'view', self.group_user))
# Return True if 'change' permission is found for group user.
self.failUnless(utils.limit_queryset_by_permission(TestModel.objects.all(), 'change', self.group_user))
# Return True if 'delete' permission is found for group user.
self.failUnless(utils.limit_queryset_by_permission(TestModel.objects.all(), 'delete', self.group_user))
# User should always have access to its own user object.
self.failUnless(self.user in utils.limit_queryset_by_permission(User.objects.all(), 'view', self.user))
self.failUnless(self.user in utils.limit_queryset_by_permission(User.objects.all(), 'change', self.user))
self.failUnless(self.user in utils.limit_queryset_by_permission(User.objects.all(), 'delete', self.user))
# User should never have access to other user objects.
self.failIf(self.user in utils.limit_queryset_by_permission(User.objects.all(), 'view', self.group_user))
self.failIf(self.user in utils.limit_queryset_by_permission(User.objects.all(), 'change', self.group_user))
self.failIf(self.user in utils.limit_queryset_by_permission(User.objects.all(), 'delete', self.group_user))
