Re: custom manager to control access

On Apr 4, 3:15 am, Mike Dewhirst <mi...@dewhirst.com.au> wrote:
> I have now discarded the idea :)
>
> I'm not very comfortable with thread locals. I need a bullet-proof
> approach which makes data from other companies invisible to members of
> this company. I suppose a view decorator is the way to go but I would
> have preferred a deeper model-level approach.

You have two ways to pass this kind of information around:
1. explicitly as parameters
2. using thread locals (or other "global state").

So, you need to use explicit parameters. You should do something like
this:

class MemberManager(models.Manager):
def visible_for_user(self, user):
# Replace the below filter condition with appropriate logic.
return self.get_query_set().filter(company=user.company)

Now, instead of using Member.objects.all() you should use
Member.objects.visible_for_user(request.user) in your code. I think
you can set the manager default for relations, so that you could do
group.membership.visible_for_user(request.user), but I haven't ever
done that. You will need to be careful when coding so that you don't
accidentally show or modify data from other companies. The way I would
do this is have the logic in the Model/Manager classes, and then use
that logic in your view code.

- Anssi

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.