Create RBAC models: Role, User-Role relation, Role-Role hierarchy, Permissions, OrganizationalUnit
All objects should pertain to an organization unit (OU).
User can be linked to many roles. Roles can be linked to many users. Roles can be linked to roles.
Roles can be linked to many permissions.
The permission model must contain a generic foreign key (the ressource) and a string (the operation) and a scope (generic foreign key to organizations for example). Permissions without scope apply to all ressources targeted, with a scope only to ressources of this scope. Ex.:
Permission(ressource=ContentType(User), operation="admin", scope=OU) is the permission to administer users in the people OU.Role hierarchy must be stored denormalized to speed queries. On each creation/deletion of a link the full transitive closure of the relation must be maintained. Role have flags:
- mirror : generic foreign key to the object it was made for, if present it means the role was automatically created and must not be deleted
- organization : the organization owning this role
django_rbac: add an RBAC engine (#6994)
- swappable role model supporting role graph with cycles
- swappable role parenting model
- swappable permission model
- swappable organizational unit model allowing to have scopes on permissions and objects
- authorization backend based on role membership
- helpers to filter querysets by the permissions users have on them
utils: add get_fk_model to retrieve related model
get_fk_model() is an helper method to retrieve the related model of a
possible foreign key field of a model, it supports pre and post 1.8
model's _meta internal API.
a2_rbac: integrate django_rbac in authentic2
This commit add local implementations for swappable models of the
django_rbac application. The role model gets extraneous fields to map
some roles one-to-one to permssions (admin_scope generic key field) and
to link roles to a service to make service's roles.
The admin scope allow building automatic management roles, like the
general management role for an organizational unit which inherits all
content type management roles for this ou.
Updated by Benjamin Dauvergne almost 6 years ago
- Status changed from Nouveau to Résolu (à déployer)
- % Done changed from 0 to 100
Appliqué par commit authentic2|c9915b9b6d0e34fecfce78b2670323d403534613.