Package to authorize actions over concrete object instances.

Django provides an authentication system to authorize users to create, modify or delete models. The user can perform this action on any element of the class in which it has such permissions. This package extends these permissions and adds read permissions.

The main function of it is to control the access on specific elements for a concrete action.

Online documentation is available at http://django-object-authority.readthedocs.io

• New authentication backend for Django apps.
• New authentication backend for Django rest framework.
• Mechanism to auto-register object permissions.
• Mixin to use in list views that filter your queryset according an authorization filter.
• Per user permissions based filters.
• Command to create custom permission of application and/or specific models.

Install using pip:

$ pip install django-object-authority

Add to INSTALLED_APPS

INSTALLED_APPS = (
    ...
    'django_object_authority',
)

Add the new backend to AUTHENTICATION_BACKENDS

AUTHENTICATION_BACKENDS = [
    'django.contrib.auth.backends.ModelBackend',
    'django_object_authority.backends.ObjectAuthorityBackend',
]

Register your object permissions

# authorizations.py
@register(SampleModel)
class SampleModelAuthority(ObjectAuthorization):

    def has_object_permission(self, user, obj):
        return obj.owner == user

    def has_delete_permission(self, user, obj):
        return obj.owner == user and not obj.is_editable