Thursday, January 26, 2023

Object Level Access Rules

Hello,

We need some of Access Control on an object basis, so that the user and
his groups determines which objects he can see.

It is not practical to define this on the individual objects, but
instead generic access rules should be used.
For example User Group UA is only allowed to see products of the groups
GA1 and GA2. (where product groups is a field of the model)

In an essence we would need something like Row Level Security in
Postgresql [1] but within the django orm, since we do not want to
replicate all django users / groups into the database

[1] https://www.postgresql.org/docs/15/ddl-rowsecurity.html

I have seen django-guardian and django-rules and others but they seem to
build an the Django standard Object Level Permission interface, which is
located on the presentation layer instead of the database layer.
This is fine for altering the GUI but can be dangerous if checks in the
view / template are forgotten. Also those checks have to be redundant
in the API views.

Is there something like this I did not find?

If not, I am thinking about creating an app that introduces an Objects
Manager that requires the user in the get_queryset method and applies
filters accordingly to the rules for the user.

Thoughts on that?

Thanks.

--
Greg

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/20230127074915.6227f5cc%40florenz.

No comments:

Post a Comment