Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Implementing custom permission behavior?

See original GitHub issue

I am not sure if this is a bug or a feature request or simply a frustrated user, but I am struggling with developing custom permission behavior - namely: preventing the deletion of published pages. If there is a way to do this without altering Wagtail source I am all ears, but here is a brief overview of my solution:

# Create custom PagePermissionTester and UserPagePermissionsProxy classes
class CustomPagePermissionTester(PagePermissionTester):
    def can_delete(self):
        return not self.page.live and super().can_delete()

class CustomPermProxy(UserPagePermissionsProxy):
    def for_page(self, page):
        return CustomPagePermissionTester(self, page)

# ... within my page model
    def permissions_for_user(self, user):
        user_perms = CustomPermProxy(user)
        return user_perms.for_page(self)

Within views/pages.py

def delete(request, page_id):
    page = get_object_or_404(Page, id=page_id).specific # access specific page type
    if not page.permissions_for_user(request.user).can_delete():
        raise PermissionDenied

And to remove the option to delete a page from the dropdown - simply add page_perms to the render context of def edit(request, page_id): and remove the following lines from the edit template:

{% page_permissions page as page_perms %}

Would something like the above be possible to implement for Wagtail as a whole or are there other reasons why overriding permissions_for_user should not be allowed?

Issue Analytics

State:
Created 7 years ago
Reactions:7
Comments:13 (3 by maintainers)

Top GitHub Comments

2reactions

luizboarettocommented, Dec 22, 2017

A system wide recycle bin and undelete would be very interesting.

2reactions

nickhudkinscommented, Mar 22, 2017

Hey @cjmochrie I just ran into this same issue, and noticed that the {% page_permissions %} template tag has this line in it: https://github.com/wagtail/wagtail/blob/de9ffaab4978ad5e50ead1c52b2c1036ee92fc0c/wagtail/wagtailadmin/templatetags/wagtailadmin_tags.py#L136

Unfortunately, those page permissions (although retrieved in the edit view: https://github.com/wagtail/wagtail/blob/de9ffaab4978ad5e50ead1c52b2c1036ee92fc0c/wagtail/wagtailadmin/views/pages.py#L301) go unused outside of the view. Which means that default Page permissions are used in context.

@gasman is this intended behavior or did we stumble on a bug?

The result of this is that if permissions_for_user is defined on a page sub class, the custom permissions returned are not respected.

Top Results From Across the Web

Define a custom app permission - Android Developers

This document describes how app developers can use the security features provided by Android to define their own permissions. By defining custom permissions...

Secure coding technique: The Custom Permission Problem

The SCWApp creates a custom permission, DevTrainer requests this permission and the user can decide whether he wants to allow this or not....

Enable Custom Permissions in Permission Sets

On the permission set overview page, click Custom Permissions. Click Edit. To enable custom permissions, select them from the Available Custom Permissions list ......

Custom Permissions To Adapt Behaviour - Flexpricer® CPQ

Flexpricer and Vision Product Selector include a series of custom permissions that can adjust behaviour for individual users (using ...

Custom Permission Classes in Django REST Framework

Creating custom permissions allows you to set permissions based on whether the user is authenticated or not, the request method, ...