Are there any suggested best practices for 'add' permisisons and parent-child relationships?
KyeRussell opened this issue · comments
Hi,
Consider a standard parent-chid relationship (e.g. a House
has many Room
s). It is common to want to base Room
's create
/add
permission on the 'context' of the parent House
(e.g. the user should only be able to add a new Room
to a House
that they own).
The only way that I can tell that this would be addressed in this project is if the permission add
instead existed on the House
model (e.g. House.add_room
), as the House
instance context would be available to the predicate. This feels largely within the spirit of the project however I don't believe that it's explicitly addressed.
Is this a valid pattern? Are there any best practices to overcome this?
Please consider this either a documentation update suggestion, a functionality suggestion, or (at worst) a support request in the form of a GitHub issue. I don't believe that this has been addressed in the README, but please let me know if I am wrong as it's about time for bed!
Django does not pass an object when it checks the permission backends for the add
/create
permission, because there is no object. This has been raised a couple of times before (take a look at the closed issues) but really is standard Django behaviour. Regarding docs, PRs are very welcome.
Closing. Feel free to reopen if needed.