First, the cautionary warning: The Django admin design philosophy is that any user with access to the admin (is_staff==True
) is a trusted user, e.g. an employee, hence the “staff” designation to even gain access to the admin. While you can customize the admin to restrict areas, allowing anyone not within your organization access to your admin is considered risky, and Django makes no guarantees about any sort of security at that point.
Now, if you still want to proceed, you can restrict most everything but the shops right off the bat by simply not assigning those privileges to the user. You’ll have to give all the shop owners rights to edit any of the shop models they’ll need access to, but everything else should be left off their permissions list.
Then, for each model that needs to be limited to the owner’s eyes only, you’ll need to add a field to store the “owner”, or user allowed access to it. You can do this with the save_model
method on ModelAdmin
, which has access to the request object:
class MyModelAdmin(admin.ModelAdmin):
def save_model(self, request, obj, form, change):
obj.user = request.user
super(MyModelAdmin, self).save_model(request, obj, form, change)
Then you’ll also need to limit the ModelAdmin’s queryset to only those items own by the current user:
class MyModelAdmin(admin.ModelAdmin):
def get_queryset(self, request):
qs = super(MyModelAdmin, self).get_queryset(request)
if request.user.is_superuser:
return qs
return qs.filter(owner=request.user)
However, that will only limit what gets listed, the user could still play with the URL to access other objects they don’t have access to, so you’ll need to override each of the ModelAdmin’s vulnerable views to redirect if the user is not the owner:
from django.http import HttpResponseRedirect
from django.core.urlresolvers import reverse
class MyModelAdmin(admin.ModelAdmin):
def change_view(self, request, object_id, form_url="", extra_context=None):
if not self.queryset(request).filter(id=object_id).exists():
return HttpResponseRedirect(reverse('admin:myapp_mymodel_changelist'))
return super(MyModelAdmin, self).change_view(request, object_id, form_url, extra_context)
def delete_view(self, request, object_id, extra_context=None):
if not self.queryset(request).filter(id=object_id).exists():
return HttpResponseRedirect(reverse('admin:myapp_mymodel_changelist'))
return super(MyModelAdmin, self).delete_view(request, object_id, extra_context)
def history_view(self, request, object_id, extra_context=None):
if not self.queryset(request).filter(id=object_id).exists():
return HttpResponseRedirect(reverse('admin:myapp_mymodel_changelist'))
return super(MyModelAdmin, self).history_view(request, object_id, extra_context)
UPDATE 06/05/12
Thanks @christophe31 for pointing out that since the ModelAdmin
‘s queryset is already limited by user, you can just use self.queryset()
in the change, delete and history views. This nicely abstracts away the model classname making the code less fragile. I’ve also changed to using filter
and exists
instead of a try...except
block with get
. It’s more streamlined that way, and actually results in a simpler query, as well.