Hi Chris,

I am not sure if this is an issue, probably not. I wanted to add rules so that a normal user can only edit his own user. But as django-rulez expects that the rule is contained in a class method. I had to use this 'hack' http://stackoverflow.com/questions/2939941/django-user-model-adding-function to make it work.

In my opinion, the way it is now it's good, I love how simple it is, but I think it would be nice to document this case and offer a solution (e.g. to use the add_to_class method).

The default model backend from django.contrib.auth checks for this, but we dont.

Unfortunately all auth backends are iterated over and the permission is granted if one of them returns True. So even if we have both backends installed and the backend from django.contrib.auth returns False, the permission will still be granted for inactive users if they have permissions based on django-rulez.

Hi,

This repository seems to lack maintenance, I propose myself as a new maintainer.

Could you give me the right to push in your repository or just transfer it on my account in github?

Thank you

Hi there,

Firstly; this project looks very interesting. Flexible and simple; thanks for making the effort.

I'm wondering what the status of the project is? It appears to not have been worked on in some time?

Best regards
Ross

This is a feature request and patch for a template tag which checks user permission based on a method defined on the model. This template tag will accept either a model instance, or a model form with an instance. This is not backwards compatible with the earlier template tag rulez_perm.

Example:
{% has_perm can_edit pubform as editor %}
{% if editor %}
You can edit this!
{% endif %}

The code:

class RulezPermsNode(template.Node):

def __init__(self, codename, objname, varname):
    self.codename = codename
    self.objname = objname
    self.varname = varname

def render(self, context):
    user_obj = template.resolve_variable('user', context)
    obj = template.resolve_variable(self.objname, context)
    #check if the obj is a model instance
    if not hasattr(obj, 'DoesNotExist'):
        #If obj is a form, then try to get the form instance
        if hasattr(obj.instance, 'DoesNotExist'):
            obj = obj.instance
        else:
            self.codename = 'no permission method found'
    if not user_obj.is_authenticated:
        user_obj = AnonymousUser()
    if hasattr(obj,self.codename):
        context[self.varname] = getattr(obj,self.codename)(user_obj)
    else:
        context[self.varname]=False
    return ''

One should be added for the commit wherever the latest PyPI version was cut.

Changelog updates wouldn't hurt either.

@chrisglass Check out https://github.com/concordusapps/python-shield

I needed something like your project (which is great by the way) in sqlalchemy so I made the above. It's missing the roles concept and some good documentation but the groundwork is done for the declarative rules functionality and is orm-agnostic.

What I am proposing is we work together to add all the features from django-rulez you'd want, closing django-rulez, and then jointly maintaining shield to be the best permission framework it can be.

What do you think?

What i'm thinking is for a user validation he must get True for all this rules.

Something like this:

models.py

from rulez.rolez.base import AbstractRole
from rulez.roles.models import ModelRoleMixin
from rulez import registry

class Editor(AbstractRole):
    """ That's a role"""
    @classmethod
    def is_member(cls, user, obj):
        """Remember, class methods take the class instead of self"""
        if user.username == 'chris':
            return True
        return False

    @classmethod
    def has_permissions(cls, user, obj):
        """ Example of user permissions on the model"""
        return user.has_perms(['can_edit', 'can_delete'], cls)

    @classmethod
    def is_owner(cls, user, obj):
        """ Example for and related object """
        return obj.owner is user

class myModel(models.Model, ModelRoleMixin): # Don't forget the mixin!

    def can_edit(self, user_obj):
        '''
        Not a very useful either but it's an example
        '''
        return self.has_role(user_obj, Editor):

    roles = [Editor, ]

registry.register('can_edit', myModel)

The Goal for this approach is use the roles for specific validations, like if i want restrict access to a view if the user match with all the rules in the role.

Something like this:

views.py

from functools import wraps
from django.shortcuts import get_object_or_404
from django.http import HttpResponse

def assert_perms_on_object(view):
    @wraps(view)
    def wrapper(request, *args, **kwargs):
        model_instance = get_object_or_404(myModel, id=kwargs['mymodel_id'])
        if request.user.has_perm('can_edit', model_instance)
            return view(request, *args, **kwargs)
    return wrapper

@assert_perms_on_object
def myview(request, *args, **kwargs):
    # Do someting
    return HttpResponse()

What must change?

As I understand the validation occurs:
rulez / rolez / cache_helper.py: 94

for role in relevant:
    if role.is_member(user, obj):
        user_roles.append(role)

It really is this snippet of code where changes should occur to validate all methods of role?

I could do a pull request to change this behavior if it is interesting for the django-rulez.

What do you think?

Currently if using the {% if perms.MODEL.RULE %} there is no obj passed to the backend