43

I was about to use django-guardian until I came across the following in the official documentation:

https://docs.djangoproject.com/en/stable/topics/auth/customizing/#handling-authorization-in-custom-backends

Permissions can be set not only per type of object, but also per specific object instance. By using the has_add_permission(), has_change_permission() and has_delete_permission() methods provided by the ModelAdmin class, it is possible to customize permissions for different object instances of the same type.

Does that mean django-guardian is no longer needed with newer versions of Django?

Please clarify.

Antoine Pinsard
  • 33,148
  • 8
  • 67
  • 87
Adam
  • 2,948
  • 10
  • 43
  • 74

1 Answers1

40

Indeed, while reading the docs, I got excited that Django would cater for "per object permissions checking" out of the box, especially in the admin, and that it would be a matter of time to understand how I could activate it.

However, this does not seem to always be the case.

Django undoubtedly strives to provide the grounds (API) for such an implementation, but this implementation sometimes needs good coding skills and Django understanding.

It is the developer who will get these tools together by creating the app that suits its needs. This could be either easy or ... not so easy!

This contradicting information forms the base for my web crawling which focuses on finding a solution to the "per-object permissions" issue, somehow ... effectively for my project's needs or scale and of course my own coding skills and Django understanding up to now.

Django-guardian seems to be the most robust, full-fledged, full-blown application for this purpose, and it also has a 3 years old open issue regarding its admin integration.

There are also other more lightweight django applications that address specific needs which are production-stable, as well.

While trying to make ends meet in this somehow tricky quest, I am leaning towards using django-rules for its simple and focused on my needs functioning.

raratiru
  • 8,748
  • 4
  • 73
  • 113
  • I wanted to implement object level permission with Django Admin site. I went with [Django-guardian](https://github.com/django-guardian/django-guardian), sadly it **did not work** even with the [example that is shipped with the package](https://github.com/django-guardian/django-guardian/tree/devel/example_project). [The issue is not addressed](https://github.com/django-guardian/django-guardian/issues/506) for over 3 years. I wouldn't recommend Django Guardian. – vignz.pie Nov 12 '20 at 09:19
  • @vignz.pie Django Guardian as I mentioned in the post, is a huge project with a steep learning curve. I would not go with it either, instead as I also mention in the post, I am leaning towards using [django-rules](https://github.com/dfunckt/django-rules). Thank you for mentioning this particular issue of Django-guardian, for django-admin, however. I have updated my post. – raratiru Nov 16 '20 at 00:08