The scenario is multiple companies each with their own users to edit
corporate information. Companies have divisions each with their own
assets and associated information.
I'm envisaging at least one corporate admin who can adjust anything for
a company but there must also be divisional users who can edit only
divisional information. Some divisional users must be able to edit
information for more than one division.
I can see how to provide pages with the target information for users via
a view. But I can't see how to prevent access to logged in users who can
figure out the URLs for information they aren't supposed to access.
1. Do I have to create many-to-many relationships and before serving a
page make sure the user making the request is "permitted" to see it?
2. Would it be better to establish named auth.groups and create the
many-to-many relationships between them and the divisions?
I have been thinking about naming users or groups to include the company
domain name and/or division "sub-domain" names to avoid extra database
lookups.
3. What is the purpose of Django object permissions? Is that an existing
framework for the sort of many-to-many relationships I think I need.
This must have all been done before. Is there a design pattern someone
can point me to?
Thanks for reading this far. Any hints appreciated.
Mike
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
No comments:
Post a Comment