Story #9613
closedAs a developer, I can make permission object filtering chainable
0%
Description
Ticket moved to GitHub: "pulp/pulpcore/2066":https://github.com/pulp/pulpcore/issues/2066
Motivation¶
As a developer with the new Roles facilities in pulpcore==3.17, you likely will want to filter by permissions with something like this example taken from this PR.
current_user = get_current_authenticated_user()
qs = Task.objects.filter(finished_at__lt=finished_before, state__in=states)
units_deleted, details = get_objects_for_user(current_user, "core.delete_task", qs=qs).delete()
As you can see, this needs to determine who the current user is, and you can't build the queryset in one go by using chaining.
Proposal¶
Introduce a with_perm
chainable call on all querysets for Pulp objects. It could be used like this:
qs.with_perm("core.task_delete")
qs.with_perm("core.task_delete", "core.task_view")
qs.with_perms(["core.task_delete", "core.task_view"])
qs.with_perm("core.task_delete").with_perm( "core.task_view")
Related issues
Updated by bmbouter about 3 years ago
- Related to Story #9614: As a developer, I can mark a Model as RBAC enabled and have exceptions raised for any quersets that don't use `with_perm` added
Updated by bmbouter about 3 years ago
- Related to deleted (Story #9614: As a developer, I can mark a Model as RBAC enabled and have exceptions raised for any quersets that don't use `with_perm`)
Updated by bmbouter about 3 years ago
- Blocks Story #9614: As a developer, I can mark a Model as RBAC enabled and have exceptions raised for any quersets that don't use `with_perm` added
Updated by gerrod about 3 years ago
I think it should be mentioned that with_perms
will probably call get_authenticated_user
implicitly for the permission check. In that case we should probably create our own custom version that can be ran in tasks outside of a django view. Or we would need to make a rule to do all queryset permission checks inside a view before handing off to a task.
Updated by mdellweg about 3 years ago
If we want to allow both of these syntaxes, we should specify, whether one or all of the permissions are needed:
qs.with_perm("core.task_delete", "core.task_view")
qs.with_perms(["core.task_delete", "core.task_view"])
Updated by fao89 almost 3 years ago
- Description updated (diff)
- Status changed from NEW to CLOSED - DUPLICATE