Object Level Access Rules
28 views
Skip to first unread message
by way of 51183341@gmx.at
Jan 27, 2023, 9:18:15 AM1/27/23
to Django users
Hello,
We need some of Access Control on an object basis, so that the user and
his groups determines which objects he can see.
It is not practical to define this on the individual objects, but
instead generic access rules should be used.
For example User Group UA is only allowed to see products of the groups
GA1 and GA2. (where product groups is a field of the model)
In an essence we would need something like Row Level Security in
Postgresql [1] but within the django orm, since we do not want to
replicate all django users / groups into the database
[1] https://www.postgresql.org/docs/15/ddl-rowsecurity.html
I have seen django-guardian and django-rules and others but they seem to
build an the Django standard Object Level Permission interface, which is
located on the presentation layer instead of the database layer.
This is fine for altering the GUI but can be dangerous if checks in the
view / template are forgotten. Also those checks have to be redundant
in the API views.
Is there something like this I did not find?
If not, I am thinking about creating an app that introduces an Objects
Manager that requires the user in the get_queryset method and applies
filters accordingly to the rules for the user.
Thoughts on that?
Thanks.
--
Greg
We need some of Access Control on an object basis, so that the user and
his groups determines which objects he can see.
It is not practical to define this on the individual objects, but
instead generic access rules should be used.
For example User Group UA is only allowed to see products of the groups
GA1 and GA2. (where product groups is a field of the model)
In an essence we would need something like Row Level Security in
Postgresql [1] but within the django orm, since we do not want to
replicate all django users / groups into the database
[1] https://www.postgresql.org/docs/15/ddl-rowsecurity.html
I have seen django-guardian and django-rules and others but they seem to
build an the Django standard Object Level Permission interface, which is
located on the presentation layer instead of the database layer.
This is fine for altering the GUI but can be dangerous if checks in the
view / template are forgotten. Also those checks have to be redundant
in the API views.
Is there something like this I did not find?
If not, I am thinking about creating an app that introduces an Objects
Manager that requires the user in the get_queryset method and applies
filters accordingly to the rules for the user.
Thoughts on that?
Thanks.
--
Greg
Reply all
Reply to author
Forward
0 new messages