From c4dbe6f73517395ec3c769f191c66ea133b596e7 Mon Sep 17 00:00:00 2001
From: Rivo Laks <rivolaks@gmail.com>
Date: Sat, 18 May 2013 15:07:34 +0200
Subject: [PATCH] Implement proper permission checkin in Admin2

Uses Django's builtin per-model permissions (add/change/delete plus view which we'll add)
and also supports per-object permissions.
---
 djadmin2/models.py | 41 +++++++++++++++++++++++++++++------------
 1 file changed, 29 insertions(+), 12 deletions(-)

diff --git a/djadmin2/models.py b/djadmin2/models.py
index 6737fa8..d1b705c 100644
--- a/djadmin2/models.py
+++ b/djadmin2/models.py
@@ -41,24 +41,41 @@ class BaseAdmin2(object):
     readonly_fields = ()
     ordering = None
 
-    def has_view_permission(self, request):
-        """
-        Returns True if the given HttpRequest has permission to view
-        *at least one* page in the mongonaut site.
-        """
-        return request.user.is_authenticated() and request.user.is_active
 
-    def has_edit_permission(self, request):
+    # TODO: make the model argument required after the registration code has been refactored.
+    # def __init__(self, model):
+    def __init__(self, model=None):
+        super(BaseAdmin2, self).__init__()
+
+        self.model = model
+
+
+    def _user_has_permission(self, user, permission_type, obj=None):
+        """ Generic method for checking whether the user has permission of specified type for the model.
+        Type can be one of view, add, change, delete.
+        You can also specify instance of the model for object-specific permission check.
+        """
+        if not user.is_authenticated() or not user.is_staff:
+            return False
+        opts = self.model._meta
+        full_permission_name = '%s.%s_%s' % (opts.app_label, permission_type, opts.object_name.lower())
+        return user.has_perm(full_permission_name, obj)
+
+    def has_view_permission(self, request, obj=None):
+        """ Can view this object """
+        return self._user_has_permission(request.user, 'view', obj)
+
+    def has_edit_permission(self, request, obj=None):
         """ Can edit this object """
-        return request.user.is_authenticated() and request.user.is_active and request.user.is_staff
+        return self._user_has_permission(request.user, 'change', obj)
 
-    def has_add_permission(self, request):
+    def has_add_permission(self, request, obj=None):
         """ Can add this object """
-        return request.user.is_authenticated() and request.user.is_active and request.user.is_staff
+        return self._user_has_permission(request.user, 'add', obj)
 
-    def has_delete_permission(self, request):
+    def has_delete_permission(self, request, obj=None):
         """ Can delete this object """
-        return request.user.is_authenticated() and request.user.is_active and request.user.is_superuser
+        return self._user_has_permission(request.user, 'delete', obj)
 
 
 class Admin2(BaseAdmin2):