Permissions in ICMS use django's built in permission framework.
Where object permission checking is needed django-guardian has been used.
All permissions in ICMS are defined in a single file perms.py for simplicity.
The Perms class holds several types of permissions:
- sys: Permission for a particular feature.
- page: Permission restricting access to a certain view.
- obj: Permissions tied to specific models.
All system / page permissions are linked to the global permissions model GlobalPermission located here.
User object permissions are defined on models that require them:
- ImporterObjectPerms (see
permissions = ImporterObjectPerms()) - ExporterObjectPerms (see
permissions = ExporterObjectPerms())
Users are never assigned system / page permissions directly they are always assigned to groups which have associated permissions.
The available groups that can be assigned to users are located here.
A custom authentication backend has been created to combine django's ModelBackend and django-guardian's ObjectPermissionBackend.
The main differences are as follows:
- Only group permissions are checked when checking system / page permissions.
ObjectPermissionCheckeris cached after the first call touser.has_perm()oruser.get_all_permissions()for object permission checking.
See ModelAndObjectPermissionBackend
- Permissions module contains most of the permission checking code.
- user_obj_perms: Global context variable to fetch user object permissions in templates for the request user.
- get_user_obj_perms: Jinja function to load user object permissions for a given user.