Django admin specific use case
I have a few special cases for the Django admin and am curious about other people's opinions:
-
I would like to use a custom admin version so that users can edit certain objects on the site (configured to look more like the rest of the site). At this point, users can only edit the objects that they own, but I will eventually open this up for something more wiki-style where anyone can edit any of the objects. In other words, I would designate all users as "personnel" and give them permission to edit these objects.
-
I also considered doing this for other objects, where not all users could edit all objects. I would use a custom view so that users can edit their own objects. The advantages are that I would have a starting point for an editing interface (since the admin creates it automatically) that I could just customize using ModelAdmin, since the admin functionality is already very close to what I would like.
I feel that the first proposal will be considered acceptable, while the second may not be. After checking a few other resources ( Valid use case for django admin? And quotes from the Django book in this question), it seems that some Django developers feel this is the wrong idea.
My question is why? Are there good reasons not to use custom admin views to grant permissions to an object in terms of performance, stability, security, usability, etc.? It seems to me that this can save a lot of time for certain applications (and I can still do it), but I wanted to understand the reasons for this difference between an administrator and everything else.
source to share
You can do whatever you want. If you want to customize the Django admin go for it, but you will most likely not be supported by the mailing list and IRC if you deviate from the usual path of admin modifications.
While setting up an admin may seem like a straightforward solution right now, it is more likely that it will be more work than just recreating the required forms once you actually try to customize how things work. Look at the general create / edit / delete type and the general / list - these will reveal the basic functionality you need very quickly and will be easier to extend than the admin.
I suppose the "admin is not your application" opinion is due to the fact that it is easier to use other mechanisms than to hack into the admin (plus, leaving the admin untouched makes it easier to redirect for Django developers).
source to share
I previously made a django app by doing exactly this without changing the actual admin code. Rather, by subclassing admin.ModelAdmin with several of its methods, advanced query filters. This will only display records owned by the user (in this case business is AUTH_PROFILE_MODEL). There are various blogs on the Internet on how to achieve this.
You can use this technique to filter lists, form select fields, save confirmation form fields, etc.
So far it has survived from NFA to 1.0 to 1.1, but this method is susceptible to api changes.
In practice, I have found that it is much faster to create new level-level access forms for new models in the application since I added them. You just create a new model with user fk, subclass AdminFilterByBusiness or just
admin.site.register(NewModel,AdminFilterByBusiness)
if he doesn't need any customs. He works and is very harsh.
However, you run the risk of not being able to use other published django apps. So take a close look at this technique for the project you are building.
Example Filter admin Class below, inspired by http://code.djangoproject.co/wiki/NewformsHOWTO
#AdminFilterByBusiness {{{2
class AdminFilterByBusiness(admin.ModelAdmin):
"""
Used By News Items to show only objects a business user is related to
"""
def has_change_permission(self,request,obj=None):
self.request = request
if request.user.is_superuser:
return True
if obj == None:
return super(AdminFilterByBusiness,self).has_change_permission(request,obj)
if obj.business.user == request.user:
return True
return False
def has_delete_permission(self,request,obj=None):
self.request = request
if request.user.is_superuser:
return True
if obj == None:
return super(AdminFilterByBusiness,self).has_delete_permission(request,obj)
if obj.business.user == request.user:
return True
return False
def has_add_permission(self, request):
self.request = request
return super(AdminFilterByBusiness,self).has_add_permission(request)
def queryset(self, request):
# get the default queryset, pre-filter
qs = super(AdminFilterByBusiness, self).queryset(request)
#
if not (request.user.is_superuser):
# filter only shows blogs mapped to currently logged-in user
try:
qs = qs.filter(business=request.user.business_set.all()[0])
except:
raise ValueError('Operator has not been created. Please Contact Admins')
return qs
def formfield_for_dbfield(self, db_field, **kwargs):
""" Fix drop down lists to populate as per user request """
#regular return for superuser
if self.request.user.is_superuser:
return super(AdminFilterByBusiness, self).formfield_for_dbfield(
db_field, **kwargs)
if db_field.name == "business":
return forms.ModelChoiceField(
queryset = self.request.user.business_set.all()
)
#default
return super(AdminFilterByBusiness, self).formfield_for_dbfield(db_field, **kwargs)
source to share
We restrict Django Admin access - unmodified - for back office access by our admins and support people. Not users or clients. Some changes to the stylesheet to make the colors match the rest of the site, but that's it.
For users (our customers), we provide the correct viewing functions to perform various transactions. Even in highly cross-linked forms, there are still a few things we need to check and control.
Django's update operations are very easy to write and trying to set up an admin looks like more work writing the transaction itself.
Our transactions are not much more complex than shown in http://docs.djangoproject.com/en/dev/topics/forms/#using-a-form-in-a-view .
Typically, our pages that have transactions almost always include workflow elements (or related content) that make them slightly more complex than the built-in admin interface. We'll have half a dozen extra lines of code outside the template.
Our use cases are not just add / change / remove, so we need more functionality than the default admin app provides.
source to share