Django 1.11 - make the whole site read-only for users from a given group (preferably with a fixture)

Question

My question is not the same with View permissions in Django because that one explains how to deal with the issue in Django 2.1 and higher which has a concept of "view" permission while I am working with Django 1.1. which does not.

Django 1.11

I have a group users who should have only read-only access to everything on the site. No restrictions on fields, models, and actial data, only what they can do with it (read-only). I know about possible implementations that suggest doing it "field-by-field" (or "make all fields read-only") and "model-by-model" solution. I am curios if there is a way to do it cleaner, on user group level, or at least on user level.

My views.py so far is default:

from django.shortcuts import render
from django.contrib.auth.decorators import login_required

@login_required 
def index(request):
    """View function for home page of site."""


    # Render the HTML template index.html with the data in the context variable
    return render(request, 'home.html')

Ideally, I'd like to be able to do this with a fixture. Currently in the fixture, I have my groups defined like this:

{
    "model": "auth.group",
    "fields": {
        "name": "some_group",
        "permissions": [
            [
                "add_somemodel",
                "myproject",
                "somemodel"
            ],
            [
                "change_somemodel",
                "myproject",
                "somemodel"
            ],
            [
                "delete_somemodel",
                "myproject",
                "somemodel"
            ]

         ]
       }
}

In Django 2.2 I can do

{
    "model": "auth.group",
    "fields": {
        "name": "some_group",
        "permissions": [
            [
                "view_somemodel",
                "myproject",
                "somemodel"
            ]  
         ]
       }
}

but in Django 1.11 I have only "add", "delete" and "change" - no "view" option (according to the docs enter link description here). So, is there a way to create a fixture that creates a group that has only read permissions for everything?

Answer 1

In your view you need something like this(Notice that this is an example of how to view a post if you belong to the proper access group):

def post_detail(request, slug=None):
    if not request.user.is_staff or not request.user.is_superuser:
        raise Http404
    instance = get_object_or_404(Post, slug=slug)
    share_string = quote_plus(instance.content)
    context = {
        "title": instance.title,
        "instance": instance,
        "share_string": share_string,
    }
    return render(request, "post_detail.html", context)

Pay attention to:

if not request.user.is_staff or not request.user.is_superuser:
        raise Http404

Here are some link to the docs that will help you:

How to authenticate users

All attributes to django.contrib.auth

Edit: I saw your code now, so what you want to achieve can be done like this

from django.shortcuts import render
from django.contrib.auth.decorators import login_required

@login_required 
def index(request):
    """View function for home page of site."""
    # With that way although a user might be logged in
    # but the user might not have access to see the page
    if not request.user.is_staff or not request.user.is_superuser:
        raise Http404


    # Render the HTML template index.html with the data in the context variable
    return render(request, 'home.html')

That way a user may be logged in, but if it's not staff member or superuser it want have access to the page.

Answer 2

Thank you everybody for responding. I did not figure out the way to do it with only user/group/permissions config in the db with Django 1.11, maybe it does not exist. Here is what I ended up with (very similar to the first suggestion I hit on SO when I started the research 4 hours ago, with minimal code changes)

1. Create a fixture for my new group that contains only "change_somemodel" permission and created a user as a member of that group, i.e. no "add_somemodel" and no "delete_somemodel" entries and load it into DB:

[
    {
        "model": "auth.group",
        "fields": {
            "name": "<my_new_group>",
            "permissions": [
                [
                    "change_<somemodel1>",
                    "<myproject>",
                    "<somemodel1>"
                ],

                [
                    "change_<somemodel2>",
                    "<myproject>",
                    "<somemodel2>"
                ]
             ]
    }
,
    {
    "model": "auth.user",
    "fields": {
        "password": "<my_password>",
        "last_login": null,
        "is_superuser": false,
        "username": "<my_username>",
        "first_name": "",
        "last_name": "",
        "email": "",
        "is_staff": true,
        "is_active": true,
        "date_joined": "2019-04-01T14:40:30.249Z",
        "groups": [
            [
                "<my_new_group>"
            ]
        ],
        "user_permissions": []
    }
}
],

This took care of the first part: now when I login as this user I do not have "Add new.." or "Delete" buttons anywhere for any model for my user.

2. Now, when I load a view for a given instance of some model, I still have the fields editable and I still see "Save", "Save and Add Another" and "Save and Continue" buttons. To take care of this, in admin.py in the superclass from which all my models are subclassed, in its custom def changeform_view I added:

if request.user.groups.filter(name='<my_new_group>'): 
   extra_context['show_save_and_add_another'] = False
   extra_context['show_save_and_continue'] = False
   extra_context['show_save'] = False

This made those 3 "Save" buttons disappear for all the models and made all fields read-only. Now this new user can not add, delete or edit anything for any model yet they can see everything, just as I wanted.

Looks like in the newer Django, starting from 2.1, this can be done even better.