This is a tricky question, we’ve been talking about this for a while (days) and haven’t found a convincingly good solution. This is the situation:
- We have users and groups. A user can belong to many groups (many to many relation)
- There are certain parts of the site that need access control, but:
- There are certain ROWS of certain tables that need access control, ie. a certain user (or certain group) should not be able to delete a certain row, but other rows of the same table could have a different permission setting for that user (or group)
Is there an easy way to acomplish this? Are we missing something?
We need to implement this in python (if that’s any help).
1)create a table with rights, ie delete, update, etc
2)create a three way pivot table on the rights table, whatever table you want row level access for and whatever table contains the unit of access rights (either group or user).
3) check for a relationship in the pivot table before you allow the operation to proceed.
your rights table could look like:
the table that you want row level access control for could look like (say a blog for example):
and your user table could be:
Then the pivot table would be like
This means that Bob can only update blog entry 1 but Alice can update or delete either blog entry
EDIT: If you want a right to come from the user or the group then you need two pivot tables for each table; one for users and one for groups. You will also have to query the database to check for user level rights and group level rights before you allow or disallow an operation
EDIT2: This is more complicated than David’s solution but doesn’t require you to compose permission_classes ahead of time: you can mix and match whatever group level and user level permissions you want which is what it seems like you want to do.