Per-feature generic permissions system

[ezzra]

Is there a specific reason, why only staff/admin users are allowed to create lists? I would like to allow users to create without having access to admin pages. Is that just a lack of permissions or is there an other reason for this?

[shacker]

Interesting question. I think I was just going for a safe "least privilege" scenario, and thinking of it like a Jira board where a manager controls the lists and staff work on those lists (which has been the case everywhere I've worked). But I can imagine all sorts of permissions / privileges scenarios that are different between projects. The challenge is in tackling that in a clean way that scales to different projects with differently named groups, code that calls a central permissions system without a ton of if/then conditionals all over the place, etc. And I don't have a clear picture in my mind of how that might work. I wouldn't want to dictate the Group names that have to be in place, for example.

The best I can think of would be to have a TODO_PERMISSIONS dictionary in settings, where keys are privilege names and values are lists of groups:

TODO_PERMISSIONS = {
    "can_create_lists": ["Managers", "Coders", "Visitors"],
    "can_delete_lists": ["Managers", "Coders"],
    "can_complete_tasks": ["Stunt Pilots", "Visitors"],
}

And then have a shared function that returns bool by consulting this mapping against the current user, and finally a template tag to wrap that function. So then you could use things like if can_create_lists: blah blah either in python or in template code.

Other ideas?

[shacker]

I welcome contributions on this feature, fwiw - let me know if interested.

[bittner]

Related issues: #5, #25 -- Aka, we've talked about this before. 😏

[multun]

@shacker @ezzra how about https://github.com/dfunckt/django-rules ?

[shacker]

I'm a big fan of django-rules, but since todo is a plugin for existing sites, I'm very interested in keeping the number of dependencies as limited as possible. I'll think about it...