Admin Integration

Object-level permissions in Django Admin

By default, Django’s ModelAdmin only checks model-level permissions (e.g. “can this user change any article?”). It does not pass the object to has_perm, so object-level permission logics registered with django-permission2 are never consulted in the admin.

RequireObjectPermissionAdminMixin fixes this. When mixed into a ModelAdmin, it overrides has_view_permission, has_change_permission, and has_delete_permission so that whenever an object is available, the check is delegated to request.user.has_perm(perm, obj) — which triggers django-permission2’s registered permission logics.

When no object is available (e.g. on list views), the mixin falls through to Django’s default model-level permission check.

has_add_permission and has_module_permission are not overridden because they do not operate on a specific object.

Usage

from django.contrib import admin
from permission.mixins.admin import RequireObjectPermissionAdminMixin

from myapp.models import Article


class ArticleAdmin(RequireObjectPermissionAdminMixin, admin.ModelAdmin):
    pass


admin.site.register(Article, ArticleAdmin)

Note

Place the mixin before admin.ModelAdmin in the class bases so that its methods take precedence.