Permissions in djangocms-versioning

This documentation covers the permissions system introduced for publishing and unpublishing content in djangocms-versioning. This system allows for fine-grained control over who can publish and unpublish or otherwise manage versions of content.

Understanding Permissions

Permissions are set at the content object level, allowing for detailed access control based on the user’s roles and permissions. The system checks for specific methods within the content object, e.g. PageContent to determine if a user has the necessary permissions.

• Specific publish permission (only for publish/unpublish action): To check if a user has the permission to publish content, the system looks for a method named has_publish_permission on the content object. If this method is present, it will be called to determine whether the user is allowed to publish the content.

  Example:

  def has_publish_permission(self, user):
      if user.is_superuser:
          # Superusers typically have permission to publish
          return True
      # Custom logic to determine if the user can publish
      return user_has_permission
  

• Change Permission (and first fallback for has_publish_permission): If the content object has a method named has_change_permission, this method will be called to assess if a user has the permission to change the content. This is a general permission check that is not specific to publishing or unpublishing actions.

  Example:

  def has_change_permission(self, user):
      if user.is_superuser:
          # Superusers typically have permission to publish
          return True
      # Custom logic to determine if the user can change the content
      return user_has_permission
  

• First Fallback Placeholder Change Permission: For content objects that involve placeholders, such as PageContent objects, a method named has_placeholder_change_permission is checked. This method should determine if the user has the permission to change placeholders within the content.

  Example:

  def has_placeholder_change_permission(self, user):
      if user.is_superuser:
          # Superusers typically have permission to publish
          return True
      # Custom logic to determine if the user can change placeholders
      return user_has_permission
  

• Last resort Django permissions: If none of the above methods are present on the content object, the system falls back to checking if the user has a generic Django permission to change Version objects. This ensures that there is always a permission check in place, even if specific methods are not implemented for the content object. By default, the Django permissions are set on a user or group level and include all instances of the content object.

  Note

  It is highly recommended to implement the specific permission methods on your content objects for more granular control over user actions.

Conclusion

The permissions system introduced in djangocms-versioning for publishing and unpublishing content provides a flexible and powerful way to manage access to content. By defining custom permission logic within your content objects, you can ensure that only authorized users are able to perform these actions.