Permissions

When using the built in routing/views permissions can be set on Dashboard by either adding a permissions_classes e.g:

class AdminDashboard(Dashboard):
    admin_text = Text(value="Admin Only Text")

    class Meta:
        name = "Admin Only"
        permission_classes = [IsAdminUser]

or applying global permissions classes with by adding the following to your settings.py

DASHBOARDS_DEFAULT_PERMISSION_CLASSES = ["dashboards.permissions.IsAdminUser"]

Built in permission classes

All built in permissions function in a similar way to Django’s own PermissionRequiredMixin in that by default they will redirect to settings.LOGIN_URL or the login_url defined on the class.

If a user is logged in but has no access a PermissionDenied with the message from the permission_denied_message included.

AllowAny

Dashboard(s) are accessible to all users (default)

IsAuthenticated

Dashboard(s) are accessible to authenticated users only

IsAdminUser

Dashboard(s) are accessible to authenticated admin (is_staff=True) users only

Custom permissions

For more granular permission control, subclass one of the built in permissions or dashboards.permission.BasePermission. For example:

class UserHasPerm(BasePermission):
    def has_permission(self, request: HttpRequest, dashboard: Dashboard) -> bool:
        return request.user.has_perm('app_name.can_view_dashboards')

    def handle_no_permission(self, request: HttpRequest, dashboard: Dashboard) -> Union[PermissionDenied, HttpResponseRedirect]:
        # or change how an invalid permission is handled.
        return HttpResponseRedirect(reverse("permission_denied"))

Custom views

If you wish to include or combine your dashboards into alternate Django views, you will need to hook up permissions as required. For example, the internal views check at dispatch() with:

has_perm = dashboard_class.has_permissions(
    request=request,
    handle=True
)
if not isinstance(has_perm, bool):
    return has_perm
elif not has_perm:
    raise PermissionDenied()
## continue with access

Note

has_permissions is used, which checks has_permission for all the permission_classes assigned to the dashboard or permissions setting.

handled controls whether or not has_permissions should call handle_no_permission on the permission class or simply return False when has_permission fails.