RFC 105: Site setting permissions#105
Conversation
Stormheg
left a comment
Stormheg
left a comment
There was a problem hiding this comment.
This sounds like a sensible approach to me. Well explained with good examples - kudos @gasman 👍 👌
@laymonage what do you think? You have more in-depth knowledge of how the permission system works in Wagtail.
| For this reason, we will preserve the ability to set permissions globally for a settings model via standard Django permission records, and respect these as part of the permission-checking logic. | ||
|
|
||
| This also avoids the complication of performing a data migration to move existing Django permission records to `GroupSitePermission` as part of the rollout of this feature. This would be decidedly non-trivial, especially if we wish to avoid developers having to write their own data migrations as part of upgrading Wagtail (since this would involve having a central migration somewhere within Wagtail that operates on some set of models that isn't known in advance). |
There was a problem hiding this comment.
Thanks for the well-written RFC! Seems sensible and fairly straightforward to fit into the current state of play for permissions.
If we had the first bit of #102 (registry for permission policies), it would make it easier to swap the SitePermissionPolicy for projects that do need it. But I don't think that'd be necessary for most use cases.
Perhaps the quirk of "site setting records are created when they are first saved" will impact how we proceed with #102, but for now I'm happy for us to work on SitePermissionPolicy first.
Edit: @Stormheg you beat me to it 😆
|
|
||
| On submitting the form, a `SitePermissionPolicy` record will be created for each item checked, corresponding to the `change_...` permission for the given settings model and the given site. | ||
|
|
||
| Additionally, settings models will continue to be listed in the "Object permissions" section of the page, as they are now, to allow granting the permission globally for all sites. We should consider extending the `register_permissions` hook to allow passing help text to display here, to explain the difference between this checkbox and the site-by-site options. For example, this might read: "Allow changing social media settings globally for all sites. To set this on a per-site basis, see 'Social media settings permissions' below." |
There was a problem hiding this comment.
I agree, without this it'd be confusing to users as they wouldn't know the difference between the two, as well as the implications of enabling the setting's model permission.
|
I see this has been approved plenty so will merge this now. Nice one! |
4 participants
Rendered
Currently, permissions on site settings are governed by a standard global Django permission record on the model, meaning that users have edit permission for the settings of all sites, or none. This does not fit well with organisational structures where a member of staff has overall responsibility for one particular site. This RFC proposes a new permission model where groups can be assigned permissions at the level of individual sites.