Skip to content

admin

management.admin ¤

Classes¤

CustomUserAdmin ¤

Bases: UserAdmin

A slightly more restrictive user admin page.

PermissionsBaseAdmin ¤

Bases: GuardedModelAdmin

Base admin class for models that require permissions.

Functions¤
formfield_for_choice_field(db_field, request, **kwargs) ¤

Limit the queryset for choice fields.

Source code in management\admin.py 
75
76
77
78
79
80
81
def formfield_for_choice_field(self, db_field, request, **kwargs):
    """Limit the queryset for choice fields."""
    if db_field.name == "visibility":
        kwargs["initial"] = "private"
        if self.limit_visibility_level and not request.user.is_superuser:
            kwargs["disabled"] = True
    return super().formfield_for_choice_field(db_field, request, **kwargs)
formfield_for_foreignkey(db_field, request, **kwargs) ¤

Limit the queryset for foreign key fields.

Source code in management\admin.py 
66
67
68
69
70
71
72
73
def formfield_for_foreignkey(self, db_field, request, **kwargs):
    """Limit the queryset for foreign key fields."""
    if db_field.name in self.foreign_key_fields:
        kwargs["queryset"] = get_queryset(db_field, request.user)
    if db_field.name == "owner" and not request.user.is_superuser:
        kwargs["initial"] = request.user.id
        kwargs["disabled"] = True
    return super().formfield_for_foreignkey(db_field, request, **kwargs)
get_queryset(request) ¤

Return a queryset of the objects that the user has view permissions for.

Source code in management\admin.py 
59
60
61
62
63
64
def get_queryset(self, request):
    """Return a queryset of the objects that the user has view permissions for."""
    qs = super().get_queryset(request)
    return get_objects_for_user(
        request.user, f"{self.opts.app_label}.view_{self.opts.model_name}", qs
    )
has_change_permission(request, obj=None) ¤

Check if the user has the correct permission to change the object.

Source code in management\admin.py 
23
24
25
26
27
28
29
def has_change_permission(self, request, obj=None):
    """Check if the user has the correct permission to change the object."""
    if obj is not None:
        return request.user.has_perm(
            f"{self.opts.app_label}.change_{self.opts.model_name}", obj
        )
    return True
has_delete_permission(request, obj=None) ¤

Check if the user has the correct permission to delete the object.

Source code in management\admin.py 
31
32
33
34
35
def has_delete_permission(self, request, obj=None):
    """Check if the user has the correct permission to delete the object."""
    return request.user.has_perm(
        f"{self.opts.app_label}.delete_{self.opts.model_name}", obj
    )
has_view_permission(request, obj=None) ¤

Check if the user has the correct permission to view the object.

Source code in management\admin.py 
37
38
39
40
41
42
def has_view_permission(self, request, obj=None):
    """Check if the user has the correct permission to view the object."""
    if obj is not None:
        return request.user.has_perm(
            f"{self.opts.app_label}.view_{self.opts.model_name}", obj
        )
obj_perms_manage_view(request, object_pk) ¤

Prevents permission scalation at object level.

Only allows users with change permissions for this object to change the object permissions.

Source code in management\admin.py 
44
45
46
47
48
49
50
51
52
53
54
55
56
57
def obj_perms_manage_view(self, request, object_pk):
    """Prevents permission scalation at object level.

    Only allows users with change permissions for this object to change the object
    permissions.
    """
    obj = self.get_object(request, object_pk)
    if not request.user.has_perm(
        f"{self.opts.app_label}.change_{self.opts.model_name}", obj
    ):
        post_url = reverse("admin:index", current_app=self.admin_site.name)
        return redirect(post_url)

    return super().obj_perms_manage_view(request, object_pk)

User ¤

Bases: AbstractUser

Custom user model.

All users are given staff status and added to the standard group.

Functions¤

get_queryset(db_field, user) ¤

Return a queryset based on the permissions of the user.

Returns queryset of public objects and objects that the user has change permisions for. For the case of Station objects, having the change permission is necessary to include the object in the queryset - being Public is not enough.

Parameters:

Name Type Description Default
db_field Field

Field to filter.

 required
user Model

User to check permissions for.

 required

Returns:

Type Description
QuerySet

model.QuerySet: Queryset of objects that the user has permissions for.
Source code in management\permissions.py 
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
def get_queryset(db_field: model.Field, user: model.Model) -> model.QuerySet:
    """Return a queryset based on the permissions of the user.

    Returns queryset of public objects and objects that the user has change permisions
    for. For the case of `Station` objects, having the `change` permission is
    necessary to include the object in the queryset - being `Public` is not enough.

    Args:
        db_field (model.Field): Field to filter.
        user (model.Model): User to check permissions for.

    Returns:
        model.QuerySet: Queryset of objects that the user has permissions for.
    """
    app_name = db_field.related_model._meta.app_label
    model_name = db_field.related_model._meta.model_name
    user_objects = get_objects_for_user(user, f"{app_name}.change_{model_name}")
    public_objects = (
        db_field.related_model.objects.none()
        if model_name == "station"
        else db_field.related_model.objects.filter(visibility="public")
    )
    return user_objects | public_objects