complicated permissions

[jondykeman]

Hi Everyone, 

I was hoping to get some input on how other people deal with complicated permission situations. I have banged my head against these concepts I think I need some fresh eyes. 

- User accounts can create and manage their own content.

- Users that are part of the same company can view the content created by Users at the company; however, they can only edit if given permission.

- Users from different companies can share their content as either read or read/write with Users at other companies.

Things I have thought about are:

- Of course using object level permissions

- Maybe using many-to-many to assign all of the different layers groupings a record would fall under.

- How to allow sharing of content outside the company - should they be able to send an invite based on e-mail to share the content? as a lookup of everyone in the system wouldn't be appropriate.

- How to control the read vs. write views

Any kind of help would be greatly appreciated. I have struggled to wrap my head around the "right" way for a long time.

JD

[Dan Gentry]

Complicated indeed!

I once worked on a similar project that tackled the first 2 requirements as part of a multi-tenant application, storing both the userID and company ID for each detail record (content).  Plus, the user profile was extended to tie a User record to one or more companies.  

For your third requirement, sharing between companies, I would imagine a many-to-many relationship on a per record basis that recorded any sharing that was setup.

All of this permission stuff would have to be checked in your views - a mixin would be appropriate with class-based views.

[Brian Schott]

If you are looking for a pre-canned solution, look at django-guardian.  It implements object-level permission for users and groups.  You just create arbitrary permissions in the meta class of your models and can test them in your templates and/or views.  It has admin view support, template tags, and recently mixin wrappers for class-based views.  

https://github.com/lukaszb/django-guardian

Brian

Brian Schott

bfsc...@gmail.com

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/django-users/-/uVfk-78yaFEJ.
To post to this group, send email to django...@googlegroups.com.
To unsubscribe from this group, send email to django-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.