Authorization library for Django

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for pgorecki from gravatar.com pgorecki

Unverified details

These details have not been verified by PyPI
Project links
GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Meta

License: MIT License

Author: Przemysław Górecki

Requires: Python >=3.6

Classifiers

Project description

django-cancan

django-cancan is an authorization library for Django. It works on top of default Django permissions and allows to restrict the resources (models and objects) a given user can access.

This library is inspired by cancancan for Ruby on Rails.

Quick start

  1. Add cancan to your INSTALLED_APPS setting like this:
INSTALLED_APPS = [
    ...,
    'cancan',
]
  1. Create a function that define user abilites. For example, in abilities.py:
def declare_abilities(user, ability):
    if not user.is_authenticated:
        # Allow anonymous users to view published articles
        return ability.can('view', Article, published=True)

    if user.has_perm('article.view_own_article'):
        # Allow logged in user to change his articles
        return ability.can('change', Article, author=user)

    if user.is_superuser:
        # Allow superuser change all articles
        return ability.can('change', Article)
  1. Configure cancan by adding CANCAN section in settings.py:
CANCAN = {
    'ABILITIES': 'myapp.abilities.declare_abilities'
}

Next, add cancan middleware after AuthenticationMiddleware:

MIDDLEWARE = [
    ...
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'cancan.middleware.CanCanMiddleware',
    ...
]

Adding the middleware adds request.ability instance which you can use to check for: model permissions, object permissions and model querysets.

  1. Check abilities in views:
class ArticleListView(ListView):
    model = Article

    def get_queryset():
        # this is how you can retrieve all objects a user can access
        qs = self.request.ability.queryset_for('view', Article)
        return qs


class ArticleDetailView(PermissionRequiredMixin, DetailView):
    queryset = Article.objects.all()

    def has_permission(self):
        article = self.get_object()
        # this is how you can check if user can access an object
        return self.request.ability.can('view', article)

Testing

Run ./manage.py test to run all test for the testapp

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for pgorecki from gravatar.com pgorecki

Unverified details

These details have not been verified by PyPI
Project links
GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Meta

License: MIT License

Author: Przemysław Górecki

Requires: Python >=3.6

Classifiers

Release history Release notifications | RSS feed

0.4.2

0.4.1

0.4

0.3.3

0.3.2

0.3.1

0.3

This version

0.2

0.1

0.0.2

0.0.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

django-cancan-0.2.tar.gz (8.8 kB view hashes)

Uploaded Source

Built Distribution

django_cancan-0.2-py3-none-any.whl (19.2 kB view hashes)

Uploaded Python 3

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page