+django-rbac 0.1 Documentation
First of all, I would like to show some drawbacks of Django's current permission system:
* Permissions are tied directly to the ``User`` model from ``django.contrib.auth``, so you cannot use any other existing model in your application.
* The task of mantaining this list of permissions in the current Django system is responsibility of a superuser or some other kind of centralized entity.
* You can certainly assign permissions to ``Group`` model instances, but all users in this group will share the same permissions.
-* Last, but not least, until Django v1.2 will come and ticket #11010_ implemented, the permission system is model-level -- it doesn't allow granular permissions (row-level), which means you can give a user authorization to do something based on all instances of a model class, but not to a single model instance (an object).
+* Last, but not least, until Django v1.2 will come and ticket `#11010`_ implemented, the permission system is model-level -- it doesn't allow granular permissions (row-level), which means you can give a user authorization to do something based on all instances of a model class, but not to a single model instance (an object).
Many applications, and specially today's web applications -- which involve concepts as collaboration or content driven by the users -- need the flexibility to support delegation of permission granting to objects by other trusted agents. A clear example is a social networking site, where the users want to allow or deny access to their profiles or pictures, open or close their different communication channels like receiving friendship requests or private messages. django-rbac tries to champion this by introducing some key features from the Role-Based Access Control (RBAC_) proposal. In this implementation users (subjects) are assigned different roles that, in turn, have (or not) privileges over objects. With this permission system, the owner of an object can give privileges to certain roles. For example, a user can grant access to other users trying to read some personal info only if they belong to, at least, one of the roles specified in the permission rule.
I you are interested, you can read the `introduced formal model`_ by F. Ferraiolo and D. R. Kuhn.
-.. _11010: http://code.djangoproject.com/ticket/11010
+.. _11010: http://code.djangoproject.com/ticket/11010
.. _RBAC: http://csrc.nist.gov/groups/SNS/rbac/
.. _introduced formal model: http://csrc.nist.gov/groups/SNS/rbac/documents/Role_Based_Access_Control-1992.html
-Be sure you have ``django.contrib.contenttypes`` installed in you project.
Currently only installation from latest development code is available. Once the code is mature enough I will upload it to PyPi_ so anyone can grab and install it using ``easy_install`` or ``pip``.
.. _PyPi: http://pypi.python.org/
Install Mercurial_ if you don't have it yet, and clone the repository::
.. _Virtualenv: http://pypi.python.org/pypi/virtualenv/
.. _Virtualenvwrapper: http://www.doughellmann.com/projects/virtualenvwrapper/
+Be sure you have ``django.contrib.contenttypes`` installed in you project.