Hello, We need some of Access Control on an object basis, so that the user and his groups determines which objects he can see.
It is not practical to define this on the individual objects, but instead generic access rules should be used. For example User Group UA is only allowed to see products of the groups GA1 and GA2. (where product groups is a field of the model) In an essence we would need something like Row Level Security in Postgresql [1] but within the django orm, since we do not want to replicate all django users / groups into the database [1] https://www.postgresql.org/docs/15/ddl-rowsecurity.html I have seen django-guardian and django-rules and others but they seem to build an the Django standard Object Level Permission interface, which is located on the presentation layer instead of the database layer. This is fine for altering the GUI but can be dangerous if checks in the view / template are forgotten. Also those checks have to be redundant in the API views. Is there something like this I did not find? If not, I am thinking about creating an app that introduces an Objects Manager that requires the user in the get_queryset method and applies filters accordingly to the rules for the user. Thoughts on that? Thanks. -- Greg -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/20230127074915.6227f5cc%40florenz.
