How to protect objects from deletion in Django?
Question:
I have a settings app inside my project, and every record in DB table that this app uses, represents particular setting.
And it is important that settings always must be consistent, so Im looking for way to protect them from accidental deletion by admin-panel users, or by buggy code.
Another cases for this feature might be – error messages stored in DB and available for editing in admin-site or templates for email messages for web-site users.
Possible solutions that I have in mind:
– Store each setting as table column or multiple columns, so the table will extends column-wise, not row-wise. Pros – simple, reliable, Cons – ugly
– DB-side solution.
– Implement some kind of permissions system which will control access for CRUD operations based on objects ownership, like file system permissions in Linux. Pros – less ugly, abstract from DB, Cons – I have no idea yet how to make easy and elegant implementation of it for Django.
Does anybody have better ideas?
Answers:
The short answer is: if you don’t want someone to have certain database abilities don’t grant them. It appears that you are thinking there are admin panel superusers and everyone else.
Django allows much more fine grained control over Users, Permissions, Authorization, and even Admin Panel privileges. Indeed, too much control to elaborate here when the documentation does such a good job of it.
In Django there is no real built-in way (that I am aware of) that prevents “accidental deletion”. If you are using the admin, they do provide confirmation pages whenever you want to delete a record that can help curb the potential problem. As @msw mentioned, the user authentication system is designed to help you enforce permissions, but would not prevent accidental deletions if the individual has the proper permission to begin with…
…an alternative strategy would be to prevent deletions on the database entirely (at the web application level). You can give the “illusion” of a delete from the user’s perspective by flagging and filtering out any “deleted” records to your user. That way, restoring information would be as simple as toggling/resetting the flag in the record. You would have to override the proper deletion signals as well.
I’m not sure I completely understood your question, but here it goes:
I see two ways of protecting a model for being deleted:
- Override the
delete() method, and make it check a set of rules that enforce the consistency you require. E.g. if one of the consistency rules fail, you raise an exception to be properly handled.
- The other is through autorization, aka permissions. You can manage permissions users have to delete particular models, as explained in this answer.
I notice that Django default permissions API does not support specific object’s permissions, only permissions applied on models. However, there are third-party apps that provide this, such as this one.
I have a settings app inside my project, and every record in DB table that this app uses, represents particular setting.
And it is important that settings always must be consistent, so Im looking for way to protect them from accidental deletion by admin-panel users, or by buggy code.
Another cases for this feature might be – error messages stored in DB and available for editing in admin-site or templates for email messages for web-site users.
Possible solutions that I have in mind:
– Store each setting as table column or multiple columns, so the table will extends column-wise, not row-wise. Pros – simple, reliable, Cons – ugly
– DB-side solution.
– Implement some kind of permissions system which will control access for CRUD operations based on objects ownership, like file system permissions in Linux. Pros – less ugly, abstract from DB, Cons – I have no idea yet how to make easy and elegant implementation of it for Django.
Does anybody have better ideas?
The short answer is: if you don’t want someone to have certain database abilities don’t grant them. It appears that you are thinking there are admin panel superusers and everyone else.
Django allows much more fine grained control over Users, Permissions, Authorization, and even Admin Panel privileges. Indeed, too much control to elaborate here when the documentation does such a good job of it.
In Django there is no real built-in way (that I am aware of) that prevents “accidental deletion”. If you are using the admin, they do provide confirmation pages whenever you want to delete a record that can help curb the potential problem. As @msw mentioned, the user authentication system is designed to help you enforce permissions, but would not prevent accidental deletions if the individual has the proper permission to begin with…
…an alternative strategy would be to prevent deletions on the database entirely (at the web application level). You can give the “illusion” of a delete from the user’s perspective by flagging and filtering out any “deleted” records to your user. That way, restoring information would be as simple as toggling/resetting the flag in the record. You would have to override the proper deletion signals as well.
I’m not sure I completely understood your question, but here it goes:
I see two ways of protecting a model for being deleted:
- Override the
delete()method, and make it check a set of rules that enforce the consistency you require. E.g. if one of the consistency rules fail, you raise an exception to be properly handled. - The other is through autorization, aka permissions. You can manage permissions users have to delete particular models, as explained in this answer.
I notice that Django default permissions API does not support specific object’s permissions, only permissions applied on models. However, there are third-party apps that provide this, such as this one.