Source

django-rbac / example / myapp / views.py

Full commit
from django.template import RequestContext
from django.shortcuts import get_object_or_404
from django.http import HttpResponse, HttpResponseForbidden
from django.contrib.auth.models import User, Group

from rbac.models import RBACRole, RBACOperation, RBACPermission, RBACGenericPermission
from rbac.utils import rbac_permission


def users_are_friends(user, target_user):
    return False

def users_are_coworkers(user, target_user):
    return True

def get_user_roles(user, target_user):
    roles = []
    if users_are_friends(user, target_user):
        roles.append(RBACRole.objects.get(name='friend'))
    if users_are_coworkers(user, target_user):
        roles.append(RBACRole.objects.get(name='coworker'))
    return roles

def my_view(request):
    """Displays info details from nabuco user"""

    owner, c = User.objects.get_or_create(username='nabuco')
    # TODO: populate from fixture instead?
    if c:
        g1 = Group.objects.create(name='punks')
        g2 = Group.objects.create(name='rockers')
        owner.groups.add(g1)
        owner.groups.add(g2)
        RBACRole.objects.create(name='family')
        RBACRole.objects.create(name='friends')
        RBACRole.objects.create(name='coworkers')

    # Owner of the object has full permissions, otherwise check RBAC
    if request.user != owner:

        # Get roles
        roles = get_user_roles(request.user, owner)
        # Get operation
        op, c = RBACOperation.objects.get_or_create('display')

        # Per-model permission:
        # Has user permission to display groups that nabuco belongs to?
        if not RBACGenericPermission.objects.get_permission(owner, Group, op, roles)
            return HttpResponseForbidden("Sorry, you are not allowed to see nabuco groups")

        # Per-object permission:
        # Has user permission to see this group which nabuco belong to?
        group_inst = get_object_or_404(Group, name='punks')
        if not RBACPermission.objects.get_permission(owner, owner, op, roles)
            return HttpResponseForbidden("Sorry, you are not allowed to see this group details")

    return HttpResponse('Test passed!')