0

I want to give different usergroups access to the Admin portion of my Django site and control which fields they are able to access. I plan on doing this with a custom ModelAdmin object that decides what to add to the fieldsets property based on the current user's group memberships.

  • Is this secure (i.e., if a field is not displayed, and the admin uses firebug or something to change the form, will Django stop it)?
  • Is this the best way to go about doing this?
juliomalegria
  • 24,229
  • 14
  • 73
  • 89
BenGC
  • 2,814
  • 3
  • 23
  • 30

1 Answers1

0

Yes this is secure as it is processed server side. I don't know about fieldsets. You could solve it by using get_form. E.g (taken from this answer):

def get_form(self, request, obj=None, **kwargs):
    current_user = request.user
    if not current_user.profile.is_manager:
        self.exclude = ('added_by',)
        self.list_display = ('name', 'finish')
    form = super(MovieAdmin, self).get_form(request, obj, **kwargs)
    form.current_user = current_user
    return form
Community
  • 1
  • 1
dan-klasson
  • 13,734
  • 14
  • 63
  • 101