
Provides an object permission system based on field values (eg: object.owner == user)

Primary LanguagePythonMIT LicenseMIT


django-field-object-permissions is an object permission system based on field values of the object. (eg: object.owner == user)


To install just run:

pip install django-field-object-permissions


  1. Put fieldobjectpermissions to your INSTALLED_APPS of the settings module:


2. Replace the default authentication backend (fieldobjectpermissions is based on it):

    # django.contrib.auth.backends.ModelBackend,  # Default
  1. These new values are optional, defaults are shown below:

        'OWNER_FIELDS': ('owner',),
        'GROUP_FIELDS': ('group',),
        'OWNER_ACTIONS': ('change', 'delete'),
        'GROUP_ACTIONS': ('change', 'delete'),

4. Run python manage.py migrate as there are post-migration triggers to create the extra permissions required.


You can now assign permissions like owner_change_foo to allow only the user who matches the value of the owner field to change an object (or the superuser, of course).

Or the permission group_delete_foo to all allow any user who is a member of a group listed in the group field of an object to delete it (or the superuser, you know this).

These permissions are created in a post-migrate signal handler, and will only be created for models with have the required field(s).

By specifying multiple fields for OWNER_FIELDS or GROUP_FIELDS only one of the listed fields needs to exist for permission creation. And only one needs to match for permission to be granted by the auth backend.