I'm working on a product that allows different schools to administer their content online.
Part of this involves setting up a role based access control logic which I've written myself. Essentially, each school has its own set of roles that have their own set of permissions. A user of the software could belong to mulitple schools with differing roles at any given time.
For various reasons, I want to ditch this and instead use Django's Groups and Permissions together with a library like django-guardian. The problem that I am facing is how should I go about extending the Groups model such that I can include a Foreign Key to each new school and still be able to use the helper methods in Django and also libraries like django-guardian.
One possibly approach I came up with is to simply create groups based on event names such as 'School 1 - Admin', 'School 1 - Teacher', 'School 2 - Admin', 'School 2 - Teacher' and query permissions based on this instead. Is there a good reason why I shouldn't do it this way?
Upon closer inspection, django-guardian was able to solve my needs. I wrote about my full implementation here: http://pragmaticstartup.wordpress.com/2012/06/26/django-guardian-a-full-access-control-logic-acl-example/
Why not mix both approaches in? Django model allows for inheritence. First define the
Role
model, with allowed roles and a school model.You can then inherit a new model from
django.contrib.auth.Group
say GroupRole. Django will create a new db table for your model only containing the properties not originally in group with a foreignkey to the appropriate group with constraints. Even better, you will get an automatic reverse relationship to the original group model, so you can write something like:On a fun note, the relationship is reflective so something like this is valid if not too useful:
If you get a base group instance that does not have a grouprole proxy associated with it then you will get an exception thrown:
Alternatively you can override this behavior to return None instead of raising an exception or even provide a default GroupRole instead.