Using django admin, how can I make sure users can only access objects they own?

Question

I'm trying to build a selfservice website using django admin. Say a user shall only be able to edit his own data. I can make sure that he can only retrieve his own records this way:

# admin.py
class PersonalDataAdmin(admin.ModelAdmin):
model = PersonalData
exclude = ('data_confirmed',)
list_display = ('first_name', 'last_name', 'email')

def get_queryset(self, request):
    qs = super(PersonalDataAdmin, self).get_queryset(request)
    if request.user.is_superuser:
        return qs
    return qs.filter(user=request.user)

What about saving though? In order for the View to show up in the admin interface, the user need rights to change entries of PersonalData. How can I check when receiving the POST request, that the object belong to the user? I think I need implement a ModelForm for this:

class PersonDataForm(ModelForm):
pass

and add it to PersonalDataAdmin. Then I could overwrite the clean() or save() method. Is this the right way to go? Also for this case where there is only one record per user is it possible to skip the change list view and link directly to the change view?

When creating custom form for admin, you won't have access to request.user and it will be impossible to verify permissions. I thin you will have to override admin view. See last paragraphs in http://djangobook.py3k.cn/chapter17/en/ — jazgot, May 14 '15 at 21:11

score 0 · Answer 1 · edited May 23 '17 at 12:23

0

I would go with overriding

ModelAdmin.has_change_permission(request, obj=None)

where you can change request.user versus the object. Also see related ModelAdmin.has_*_permission() methods.

For the restring the viewing of objects, check:

View permissions in Django

edited May 23 '17 at 12:23

Community

1
1

answered Jan 12 '16 at 15:20

ddalex

436
4
7

Using django admin, how can I make sure users can only access objects they own?

1 Answers1