Advanced permissions and role creation

128 views
Skip to first unread message

Joel Mathew

unread,
Apr 21, 2019, 2:12:42 AM4/21/19
to django...@googlegroups.com
I have an application for a hospital. There, I should be able to assign different roles like Doctor, Nurse, Attender, Auxillary Nurse, Pharmacist, Store Manager etc, each of would be having specific access to seperate areas (views), with some having restricted access. In addition, there are other hospitals who would be having no access to another hospital's records. All of these permissions should be customisable, and I should be able to create additional roles and permission groups for specific areas later (from within the application itself, in production). What would be the best solution to use? Is there a middleware which works well. I don't want to roll my own if I will be reinventing the wheel.

Currently my application has no use permissions. But access to specific hospitals is being restricted by a model whoch stores hospital name, and user name.
Sincerely yours,

 Joel G Mathew

Sithembewena L. Dube

unread,
Apr 21, 2019, 2:20:25 AM4/21/19
to django...@googlegroups.com
For roles and permissions management, I would stick with Django's Auth application (django.contrib.auth).

It sounds like you ought to read up on how to design and build a multi-tenancy SaaS project in Django. I cannot recommend any one resource, so you'll have to do some searching and see what fits the bill for you.

Kind regards,
Sithu


Sent with Shift

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAA%3Diw_9BrOEh4Ss3X0g_EnaFyp1XTXij5DoZvva_XxwKVzXsGQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Mike Dewhirst

unread,
Apr 21, 2019, 4:15:19 AM4/21/19
to django...@googlegroups.com
On 21/04/2019 12:11 pm, Joel Mathew wrote:
> I have an application for a hospital. There, I should be able to
> assign different roles like Doctor, Nurse, Attender, Auxillary Nurse,
> Pharmacist, Store Manager etc, each of would be having specific access
> to seperate areas (views), with some having restricted access. In
> addition, there are other hospitals who would be having no access to
> another hospital's records. All of these permissions should be
> customisable, and I should be able to create additional roles and
> permission groups for specific areas later (from within the
> application itself, in production). What would be the best solution to
> use? Is there a middleware which works well. I don't want to roll my
> own if I will be reinventing the wheel.
Joel

I use Django Admin and contrib.auth. The Admin lets a superuser add a
new auth.group (ie., a role) and assign specific (other) model(s)
editing rights to it. Then users can be given membership of certain groups.

I control access to corporate data by assigning a one-to-one
relationship between any user and their particular company. Where a user
needs access to data across more than one company I force them to have
separate logins related one each to those companies. Companies need to
know they control access to their own data. Only consultants (perhaps
agency nurses in your scenario) need multiple logins. The Admin lets you
modify the queryset of records to filter out everying except the data
that user is entitled to see.

There are also mechanisms to show permitted data read-write or readonly
depending on role membership. I did my own for Django 1.11 but I notice
a later version seems to have specific read-only permissions assignable
to auth.groups. Not absolutely sure about that. I'm sticking with 1.11
for a little while yet.

My roles are
    admin
    author
    authority
    consumer
    editor
    manager

And in my common.utils I have ...

def is_member(user, name):
    return user.groups.filter(name=name).exists()   # or user.is_superuser

def is_admin(user, name='admin'):
    return is_member(user, name)

def is_author(user, name='author'):
    return is_member(user, name)

def is_authority(user, name='authority'):
    return is_member(user, name)

def is_consumer(user, name='consumer'):
    return is_member(user, name)

def is_editor(user, name='editor'):
    return is_member(user, name)

def is_manager(user, name='manager'):
    return is_member(user, name)

>
> Currently my application has no use permissions. But access to
> specific hospitals is being restricted by a model whoch stores
> hospital name, and user name.

I have a specific company model for company info and a user.userprofile
model which links a user to a company. I'm not using a custom user model
in this project but I doubt I would have done it much differently if I had.

hth

Mike


> Sincerely yours,
>
>  Joel G Mathew
>
> --
> You received this message because you are subscribed to the Google
> Groups "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to django-users...@googlegroups.com
> <mailto:django-users...@googlegroups.com>.
> To post to this group, send email to django...@googlegroups.com
> <mailto:django...@googlegroups.com>.
> Visit this group at https://groups.google.com/group/django-users.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/CAA%3Diw_9BrOEh4Ss3X0g_EnaFyp1XTXij5DoZvva_XxwKVzXsGQ%40mail.gmail.com
> <https://groups.google.com/d/msgid/django-users/CAA%3Diw_9BrOEh4Ss3X0g_EnaFyp1XTXij5DoZvva_XxwKVzXsGQ%40mail.gmail.com?utm_medium=email&utm_source=footer>.

Jani Tiainen

unread,
Apr 21, 2019, 10:28:42 AM4/21/19
to django...@googlegroups.com
Hi,

We do in our applications pretty much same approach as Mike proposed in his post. It's relatively efficient and works for both, UI and application side pretty well and doesn't require building anything complex and pretty much everything you need is already built-in in Django.



--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.

Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAA%3Diw_9BrOEh4Ss3X0g_EnaFyp1XTXij5DoZvva_XxwKVzXsGQ%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.


--
Jani Tiainen
Software wizard


Always open for short term jobs or contracts to work with Django.

Joel Mathew

unread,
Apr 21, 2019, 11:08:05 AM4/21/19
to django...@googlegroups.com
Thanks a lot, guys.

To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAHn91od2vbV7F0WwAVp6Eppqmmd5-NgZciO_04Tm%3D9x9FSJyvQ%40mail.gmail.com.

Balaji Shetty

unread,
Apr 23, 2019, 11:23:40 AM4/23/19
to django...@googlegroups.com
Hi

Did you get any particular solution. I am also facing the same problem. My project also have same requirement.

I think this problem must have been faced by every dveloper.

Can you please share the solution or any useful internet resource .


For more options, visit https://groups.google.com/d/optout.


--
Mr. Shetty Balaji S.
Asst. Professor
Department of Information Technology,
SGGS Institute of Engineering & Technology, Vishnupuri, Nanded.MH.India
  Mobile: +91-9270696267

Mike Dewhirst

unread,
Apr 25, 2019, 12:57:06 AM4/25/19
to Django users
On 23/04/2019 9:22 pm, Balaji Shetty wrote:
> Hi
>
> Did you get any particular solution. I am also facing the same
> problem. My project also have same requirement.
>
> I think this problem must have been faced by every dveloper.
>
> Can you please share the solution or any useful internet resource .

class UserProfile(models.Model):

    user = models.OneToOneField(User, related_name='userprofile',

        on_delete=models.CASCADE)

    company = models.ForeignKey('Company', null=True, blank=True,

        on_delete=models.CASCADE,

        help_text='Each user may only be associated with '

        '<strong>one</strong> company.')

*...*

    def __str__(self):

        grps = u''

        superuser = u''

        if self.user.is_staff:

            superuser = u' [Staff]'

        if self.user.is_superuser:

            superuser = u' [Superuser]'

        if not self.user.is_active:

            superuser += u' [Inactive]'

        groups = Group.objects.filter(user=self.user).order_by('name')

        if groups:

            grps = u', '.join(x.name for x in groups)

        if grps:

            grps = u' (%s)' % grps

        grps += superuser

        return u'%s%s' % (self.user, grps)

And in company admin.py

class CompanyAdmin(admin.ModelAdmin):

    # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
    #
    def get_queryset(self, request):
        qs = super(CompanyAdmin, self).get_queryset(request)
        if request.user.is_superuser:
            return qs
        coy = get_user_company(request)
        if coy:
            return qs.filter(
                Q(id=coy.id)
            ).distinct()
    #
    # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

And imported from common utils ...

def get_user_company(request): """Return the company of which the user
is a member. Company is kept in the UserProfile fk company. Typically
used in get_queryset.filter() calls made in various places to restrict a
user's view to things owned by that user's company. """ profile =
get_userprofile(request) if profile: try: return profile.company except
Exception: # happens on deleting the company pass  def
get_userprofile(request): """Return the userprofile from a user or
request""" from company.models import UserProfile # avoid circular
imports if isinstance(request, User): usr = request else: usr =
request.user if usr: try: return UserProfile.objects.get(user=usr)
except Exception: # happens on deleting the user pass

And determining which fields are readonly depending on group membership
is a matter of writing a callable which replaces
ModelAdmin.get_readonly_fields and for which you need ...

def is_member(user, name): return user.groups.filter(name=name).exists()
# or user.is_superuser

hth



>
> On Sun, Apr 21, 2019 at 4:37 PM Joel Mathew <jo...@eyrie.in
> <mailto:jo...@eyrie.in>> wrote:
>
> Thanks a lot, guys.
>
> On Sun, 21 Apr, 2019, 3:58 PM Jani Tiainen, <red...@gmail.com
> <mailto:django-users...@googlegroups.com>.
> To post to this group, send email to
> django...@googlegroups.com
> <mailto:django...@googlegroups.com>.
> Visit this group at
> https://groups.google.com/group/django-users.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/CAA%3Diw_9BrOEh4Ss3X0g_EnaFyp1XTXij5DoZvva_XxwKVzXsGQ%40mail.gmail.com
> <https://groups.google.com/d/msgid/django-users/CAA%3Diw_9BrOEh4Ss3X0g_EnaFyp1XTXij5DoZvva_XxwKVzXsGQ%40mail.gmail.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.
>
>
>
> --
> Jani Tiainen
> Software wizard
>
> https://blog.jani.tiainen.cc/
>
> Always open for short term jobs or contracts to work with Django.
> --
> You received this message because you are subscribed to the
> Google Groups "Django users" group.
> To unsubscribe from this group and stop receiving emails from
> it, send an email to django-users...@googlegroups.com
> <mailto:django-users...@googlegroups.com>.
> To post to this group, send email to
> django...@googlegroups.com
> <mailto:django...@googlegroups.com>.
> Visit this group at https://groups.google.com/group/django-users.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/CAHn91od2vbV7F0WwAVp6Eppqmmd5-NgZciO_04Tm%3D9x9FSJyvQ%40mail.gmail.com
> <https://groups.google.com/d/msgid/django-users/CAHn91od2vbV7F0WwAVp6Eppqmmd5-NgZciO_04Tm%3D9x9FSJyvQ%40mail.gmail.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to the Google
> Groups "Django users" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to django-users...@googlegroups.com
> <mailto:django-users...@googlegroups.com>.
> To post to this group, send email to django...@googlegroups.com
> <mailto:django...@googlegroups.com>.
> Visit this group at https://groups.google.com/group/django-users.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/CAA%3Diw_-6cLiAfN1NHovdY4-Y_Wtz1KToMWW6zErNKAdXNOpm1w%40mail.gmail.com
> <https://groups.google.com/d/msgid/django-users/CAA%3Diw_-6cLiAfN1NHovdY4-Y_Wtz1KToMWW6zErNKAdXNOpm1w%40mail.gmail.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.
>
>
>
> --
> /Mr. Shetty Balaji S.
> Asst. Professor
> Department of Information Technology,/
> */SGGS Institute of Engineering & Technology, /Vishnupuri,
> Nanded.MH.India//*
> *Official: bssh...@sggs.ac.in <mailto:bssh...@sggs.ac.in> *
> *// Mobile: +91-9270696267*
>
> --
> You received this message because you are subscribed to the Google
> Groups "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to django-users...@googlegroups.com
> <mailto:django-users...@googlegroups.com>.
> To post to this group, send email to django...@googlegroups.com
> <mailto:django...@googlegroups.com>.
> Visit this group at https://groups.google.com/group/django-users.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/CAECSbOtdC_wg-ceB6-dvWcS6z%2BoWkwm%2BzunBW3GR_Kd0G3GsrA%40mail.gmail.com
> <https://groups.google.com/d/msgid/django-users/CAECSbOtdC_wg-ceB6-dvWcS6z%2BoWkwm%2BzunBW3GR_Kd0G3GsrA%40mail.gmail.com?utm_medium=email&utm_source=footer>.

Mike Dewhirst

unread,
Apr 25, 2019, 8:13:00 AM4/25/19
to Django users
On 23/04/2019 9:22 pm, Balaji Shetty wrote:
Hi

Did you get any particular solution. I am also facing the same problem. My project also have same requirement.

I think this problem must have been faced by every dveloper.

Can you please share the solution or any useful internet resource .

I noticed the message was mangled so I have reformatted the worst bits ...

On Sun, Apr 21, 2019 at 4:37 PM Joel Mathew <jo...@eyrie.in <mailto:jo...@eyrie.in>> wrote:

Thanks a lot, guys.

On Sun, 21 Apr, 2019, 3:58 PM Jani Tiainen, <red...@gmail.com

To post to this group, send email to
django...@googlegroups.com

For more options, visit https://groups.google.com/d/optout.



-- Jani Tiainen
Software wizard

https://blog.jani.tiainen.cc/

Always open for short term jobs or contracts to work with Django.
-- You received this message because you are subscribed to the
Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from
it, send an email to django-users...@googlegroups.com

To post to this group, send email to
django...@googlegroups.com

Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit

For more options, visit https://groups.google.com/d/optout.

-- You received this message because you are subscribed to the Google
Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to django-users...@googlegroups.com

To post to this group, send email to django...@googlegroups.com

Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit

For more options, visit https://groups.google.com/d/optout.



-- /Mr. Shetty Balaji S.
Asst. Professor
Department of Information Technology,/

*/SGGS Institute of Engineering & Technology, /Vishnupuri, Nanded.MH.India//*
*Official: bssh...@sggs.ac.in <mailto:bssh...@sggs.ac.in> *
*// Mobile: +91-9270696267*

-- You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com <mailto:django-users...@googlegroups.com>.
To post to this group, send email to django...@googlegroups.com <mailto:django...@googlegroups.com>.

Balaji Shetty

unread,
Apr 25, 2019, 8:46:36 AM4/25/19
to django...@googlegroups.com
Dear 

Mike Dewhirst


Thank You Very Much for your nice reply  . I try it .


To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.

Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/717fee4d-45a4-8502-eb82-1e69106e979e%40dewhirst.com.au.

For more options, visit https://groups.google.com/d/optout.


--
Mr. Shetty Balaji S.
Asst. Professor
Department of Information Technology,
SGGS Institute of Engineering & Technology, Vishnupuri, Nanded.MH.India
  Mobile: +91-9270696267

Reply all
Reply to author
Forward
0 new messages