David Ascher wrote: > I'm trying to figure out how best to do per-user data (think of the > relationship between users and her photos on flickr). > > I notice that there's a nifty concept of "permissions", which in some ways > is per-user binary data. There is also the mostly undocumented (?) > get_profile() call, which might or might not be relevant. > > Is the right thing for me to do to dig into the sites & the concept of > profile? > > In this particular app, there is no need for any one user to need to be able > to view any other user's data. > > I can do it all "by hand" by looking through a big table indexing by userid, > but I'm wondering if there's a Best Practice out there that I should know > about before I start building my own infrastructure.... > > Cheers, > > --david >
The best way to do this is to have a ForeignKey to auth.User on the top level object of your per user data. And then do the permission checking in your view functions. This can be eased by adding custom functions to your model. The permissions atm do not deal with anything more granular than a class/table level. You might want to look back in the archives for the ACL flamewar, http://groups.google.co.uk/group/django-developers/browse_thread/thread/7dca63383b948d7b/2a179f3917372882?q=acl&rnum=1#2a179f3917372882 I do hope to fix this in a sensible way eventually with a default model oriented security system, with mixins providing an easy way to add crazy things like ACL systems. But probably not for 1.0 .
