I'm working with the following models in a django project. The effective relationship is that a District can have multiple Schools, a School can have multiple Students, and a Student may have multiple Cases.
class District(models.Model):
name = models.CharField(max_length=50)
...
class Meta:
permissions = (
('view_district', 'Can view district')
...
)
class School(models.Model):
name = models.CharField(max_length=50)
...
district = models.ForeignKey(
District,
on_delete=models.PROTECT,
related_name='schools',
related_query_name='school',
)
class Meta:
permissions = (
('view_school', 'Can view school')
...
)
class Student(models.Model):
name = models.CharField(max_length=50)
...
school = models.ForeignKey(
School,
on_delete=models.PROTECT,
related_name='students',
related_query_name='student',
)
class Meta:
permissions = (
('view_student', 'Can view student')
...
)
class Case(models.Model):
name = models.CharField(max_length=50)
...
student = models.ForeignKey(
Student,
on_delete=models.PROTECT
related_name='cases',
related_query_name='case',
)
class Meta:
permissions = (
('view_case', 'Can view case')
...
)
A user may be assigned:
- a specific case
- a specific student (which would include all cases for that student)
- a specific school (which would include all students for that school, and thus all cases for the students at that school)
- a specific district (which would include all schools for that district, all students that attend those schools within that district, and all cases for students that attend those schools within that district)
Users (other than Admins) will only be able to view/edit/delete models for which they have been granted permissions. Admins will have the former permissions for all models as well as adding new models. Admins will ultimately "assign" who has access to what, groups seemed like a natural way to extend some of this functionality.
I'm aware that django provides no native support for instance-level permissions and as such I've already explored the django-guardian package. It appears to offer the functionality required for a specific instance and while I can create permissions individually for objects through the shell, I'm obviously wanting to build this functionality into the models.
Ideally when a model is created, a group (or permission?) will be available that users can be placed into such as
District | District1 | can view District1
District | District1 | can edit District1
District | District1 | can delete District1
....
School | School1 | can view School1
School | School1 | can edit School1
School | School1 | can delete School1
I think programmatically creating Groups for each object permission would be ideal? But then I would then need to remove those groups if the model is deleted? I also feel like groups may be overcomplicating the system and rather rely on programmatically generated permissions and avoiding groups outright? I really am looking for a some direction as I've never needed to create such a unique permission scheme. Any and all advice is greatly appreciated.