View and edit permissions for dashboards

[simonw]

The ability to control who can view a dashboard, and who can edit a dashboard at the individual dashboard level.

[simonw]

I'm going to optionally use Django auth groups for this, if they are defined.

I think a select box for "who can view" and a select box for "who can edit" will work. Following options:

• Anyone (available for view but not for edit)
• Only me (effectively private dashboards)
• Logged in users
• Staff users
• Super users
• Users in group X (one option for each group)

[simonw]

I'm going to add six columns to Dashboard for this:

• created_by - foreign key to User
• created_at - datetime
• view_policy - enum
• edit_policy - enum
• view_group - nullable foreign key to Group
• edit_group - nullable foreign key to Group

[simonw]

The policy enums will cover:

• public (not for view, just edit)
• creator
• loggedin_users
• group
• staff
• superusers

[simonw]

Another view permission option: unlisted - available to the public but only if they know the dashboard URL.

These ones won't be shown on the /dashboard/ index page and will have robots SEO exclusion.

[simonw]

Model changes in the admin (I customized the admin fieldsets):

[simonw]

django-sql-dashboard/django_sql_dashboard/models.py

Lines 6 to 59 in cfe3c18

	class Dashboard(models.Model):
	slug = models.SlugField(unique=True)
	title = models.CharField(blank=True, max_length=128)
	description = models.TextField(blank=True)
	created_by = models.ForeignKey(
	settings.AUTH_USER_MODEL,
	null=True,
	blank=True,
	on_delete=models.SET_NULL,
	related_name="created_dashboards",
	)
	created_at = models.DateTimeField(default=timezone.now())
	class ViewPolicies(models.TextChoices):
	PRIVATE = ("private", "Private")
	PUBLIC = ("public", "Public")
	UNLISTED = ("unlisted", "Unlisted")
	LOGGEDIN = ("loggedin", "Logged-in users")
	GROUP = ("group", "Users in group")
	STAFF = ("staff", "Staff users")
	SUPERUSER = ("superuser", "Superusers")
	class EditPolicies(models.TextChoices):
	PRIVATE = ("private", "Private")
	LOGGEDIN = ("loggedin", "Logged-in users")
	GROUP = ("group", "Users in group")
	STAFF = ("staff", "Staff users")
	SUPERUSER = ("superuser", "Superusers")
	# Permissions
	view_policy = models.CharField(
	max_length=10,
	choices=ViewPolicies.choices,
	default=ViewPolicies.PRIVATE,
	)
	edit_policy = models.CharField(
	max_length=10,
	choices=EditPolicies.choices,
	default=EditPolicies.PRIVATE,
	)
	view_group = models.ForeignKey(
	"auth.Group",
	null=True,
	blank=True,
	on_delete=models.SET_NULL,
	related_name="can_view_dashboards",
	)
	edit_group = models.ForeignKey(
	"auth.Group",
	null=True,
	blank=True,
	on_delete=models.SET_NULL,
	related_name="can_edit_dashboards",
	)

[simonw]

I'm going to change created_by to owned_by since that makes it clear that it's OK for a user to "transfer ownership" of a dashboard to someone else.

[simonw]

Next steps: get the dashboards to obey these permissions, with comprehensive tests. Editing can still happen through the admin interface for the moment.

Dashboards should include a visible note that explains who is allowed to edit or view the dashboard.

[simonw]

The remaining edit work will take place in #44.