On 15 December 2016 at 03:43, Avraham Serour <tovm...@gmail.com> wrote: > Hi, > > I've given a lot of thought on this, I have also searched for django apps > that deal with permissions, I didn't find something that implements > hierarchical object level permissions, I have a feeling that I am > overcomplicating things if none did this... > > Well, first of all I thought of creating a through table for the Object and > user relation, so permission should have a value (how should I name this? > level?)
Or "type" (1=read, 2=write, 0=no permission). It's up to you. ;-) > > Actually the module would be the root level, so > Module->project->project->project->task->task->task > > So a user with permissions to a project has also permissions for its > subprojects and tasks. This is exactly what I meant by "clear rules". This is one of them. :-) > > What do you mean floor? Using your example above: Module (1st floor)->project (2nd floor)->project (3rd floor)->project (4th floor)->task (5th floor)->task (6th floor)->task (7th floor) "Floor" would be "the level in hierarchy one given object belongs to". Anyone with write level on the 1st floor, will have the same access on 2nd, 3rd, 4th, 5th, 6th and 7th as well. Otherwise you allow it to be overriden. Anyone with write level on the 5th floor, will have the same access on 6th and 7h. Did you get it? > > mptt seems a very nice solution but... > > To check an object permission I would need to get the first ascendent with > permissions registered, with django-mptt I can get all ascendents, this > could be a problem if the object is too deep. It'll depend how deep an object can be and the number of children an object could have. > I then would need to loop through the ascendents and check if there are > permissions registered for the current user, this would make yet another > query, the permissions are on another table Maybe let the DB solve this through join? > > Also, I'm not sure how I would list the objects the user can read for > example, opening an project page should list only the tasks and subprojects > the user can read. > Of course if I ca loop all tasks to get the ones the user can read, but this > would be prohibitive slow, how can I do this with django mptt in one query? I don't know django-mptt but maybe you should start reading from your permissions table and, based on permissions, get which objects the user could see. I should know more about your requirements. It's complicated to explain it here. If you want call me at http://telegram.me/viniciusban Talking in pt_BR is better in this case for me. > > On the other hand the idea of copying the parent permission when an object > is created have cheap reads, not so expensive writes but I'm afraid would > make a too big permissions table (number of users X number of lines for most > tables) Maybe that's the price to pay for. But I think it won't be too expensive in terms of performance. > > Thanks for the considerations > Avraham You're welcome. -- Vinicius -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at https://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAFmXjSDgw5USFJp0_nSedWKT7W9vO_xpv1azD4E%3Dd_2khCOH7w%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
