Fix management UI and API access permissions for #1425

[MyPyDavid]

Description

Related issue: #1425

[MyPyDavid]

this will break the backwards compatibility on the base_navigation template, should I keep the the add_rule in there just to not break the possible deployed custom templates?
Otherwise instance admins would need to update the theme for that. Think that it is better to use add_perm than add_rule..

[jochenklar]

I agree, but can we have both and remove one in RDMO 3?

[jochenklar]

Actually, I think add_rule fits better since this is just a predicate "exposed" to the user instance in views etc. I think we should use add_rule for all things can_... and add_perm for model/object permissions. management.can_view_management has no input model or instance. Same for management.can_upload_files and management.can_import_elements.

ChatGPT explained it nicely:

---

🔹 rules.add_rule(name, function)

• What it does: Registers a predicate function under a name.
• A predicate is just a Python function that takes (user, obj) and returns True or False.
• Predicates are reusable building blocks.
• Example:

import rules

# Define a predicate
@rules.predicate
def is_staff(user):
    return user.is_staff

# Register it under a name
rules.add_rule('is_staff', is_staff)

Now you can reference "is_staff" as a condition in permissions or combine it with others.

---

🔹 rules.add_perm(name, rule)

• What it does: Registers a permission under a name and attaches it to one or more rules (predicates).
• A permission is basically a "named check" that can be used in your app (e.g. in user.has_perm() or decorators).
• Example:

# Define a permission based on our predicate
rules.add_perm('app.view_secret', is_staff)

Now, anywhere in Django, you can do:

user.has_perm('app.view_secret')

and it will use the is_staff predicate internally.

---

✅ Summary

• add_rule → defines a predicate (logic building block).
• add_perm → defines a permission that Django can check, usually built from rules/predicates.

Think of it like this:

• Rule = ingredient
• Permission = finished dish 🍲

---

[jochenklar]

ok now I see that its actually used as a permission in ManagementView so I guess has_perm is the better idea. Maybe we should remove the can_ from the perms then:

management.view_management, management.upload_files, management.import_elements

maybe even management.upload_elements?

Then the naming is consistent and management and elements are kind of "fake" models, if you know what I mean.

[jochenklar]

Same for projects.can_view_all_projects to projects.view_projects.

[MyPyDavid]

ok, Ive renamed the permissions like that. The has_perm is better for when it will be used on a user object anyway..

[MyPyDavid]

this is for the Upload and Import viewsets

[jochenklar]

Nice! I checked the drf and rules code, because I was wondering if there is something like this already. This just introduces the permission_required class attribute in the same way as the regular django views, right? I would rename the class to HasPermission, since also all the other Permissions somehow depend on rules.

[MyPyDavid]

ok, HasPermission it is..

[MyPyDavid]

is the meta used anywhere outside of the management as well??

[jochenklar]

No, I don't thin so.

[jochenklar]

Meta should stay IsAuthenticated since it is just the static information about fields and help texts etc.

[jochenklar]

Very nice, thanks! I have the usual naming requests and the lengthy discussion with myself (and ChatGPT) which I want to share with you 😃

[jochenklar]

I agree, but can we have both and remove one in RDMO 3?

[jochenklar]

Actually, I think add_rule fits better since this is just a predicate "exposed" to the user instance in views etc. I think we should use add_rule for all things can_... and add_perm for model/object permissions. management.can_view_management has no input model or instance. Same for management.can_upload_files and management.can_import_elements.

ChatGPT explained it nicely:

---

🔹 rules.add_rule(name, function)

• What it does: Registers a predicate function under a name.
• A predicate is just a Python function that takes (user, obj) and returns True or False.
• Predicates are reusable building blocks.
• Example:

import rules

# Define a predicate
@rules.predicate
def is_staff(user):
    return user.is_staff

# Register it under a name
rules.add_rule('is_staff', is_staff)

Now you can reference "is_staff" as a condition in permissions or combine it with others.

---

🔹 rules.add_perm(name, rule)

• What it does: Registers a permission under a name and attaches it to one or more rules (predicates).
• A permission is basically a "named check" that can be used in your app (e.g. in user.has_perm() or decorators).
• Example:

# Define a permission based on our predicate
rules.add_perm('app.view_secret', is_staff)

Now, anywhere in Django, you can do:

user.has_perm('app.view_secret')

and it will use the is_staff predicate internally.

---

✅ Summary

• add_rule → defines a predicate (logic building block).
• add_perm → defines a permission that Django can check, usually built from rules/predicates.

Think of it like this:

• Rule = ingredient
• Permission = finished dish 🍲

---

[jochenklar]

No, I don't thin so.

[jochenklar]

Meta should stay IsAuthenticated since it is just the static information about fields and help texts etc.

[jochenklar]

ok now I see that its actually used as a permission in ManagementView so I guess has_perm is the better idea. Maybe we should remove the can_ from the perms then:

management.view_management, management.upload_files, management.import_elements

maybe even management.upload_elements?

Then the naming is consistent and management and elements are kind of "fake" models, if you know what I mean.

[jochenklar]

Same for projects.can_view_all_projects to projects.view_projects.

[jochenklar]

The None is not needed and I would turn it around, check the perm if perm and raise the error at the bottom.

[MyPyDavid]

I now simply return:

        # the viewset needs to set permission_required
        return request.user.has_perm(view.permission_required)

I think it should only be used like that anyway and break when we would forget to set a permission_required on the viewset.

[jochenklar]

Nice! I checked the drf and rules code, because I was wondering if there is something like this already. This just introduces the permission_required class attribute in the same way as the regular django views, right? I would rename the class to HasPermission, since also all the other Permissions somehow depend on rules.

[jochenklar]

Great work! I think we are done here.

[jochenklar]

I think here we can just use {% has_perm 'management.view_management' request.user as can_view_management %} only test_rule should still exist for the legacy templates.

[MyPyDavid]

ah yes, that would work without breaking it! 😅