Designing my first Django project: users, roles and permissions

Hello, I am starting on Django and I have some doubts about the design of my project.

My requirements are the following:

  • A login page.
  • An index page with buttons to access my different Django apps
  • Different and unrelated Django apps (each one with its own logic and views)

The structure of the project is:

   |    |
   |    |
   |    |
   |    |
   |    |
   |    |-css/...
   |    |-js/...
   |    |-img/...
   |    |-index.html
   |    |-login.html

The index.html and login.html are rendered directly without being inside of an app, because they are common for every app.

Now I want to create some users and give them different roles. Each role will have access to some apps.

For example:

  • admin: will have can_access_app1, can_access_app2 and can_access_app3 custom roles.
  • user1: could have can_access_app2 only.
  • user2: could have can_access_app1 and can_access_app3 only.

But now I am a bit lost. Where should I create the users models? Inside myproject/myproject?

I need a bit of help because I am not sure how to continue.


I’m a member of the “One app unless you can prove otherwise” camp.

Just starting out, I wouldn’t worry about trying to divide your application into multiple “apps” - it’s not worth the hassle if you don’t need to.

Security is applied at the view layer, not at the app layer. It is each view that needs to decide whether to grant access to a request being made.

Whether you need to create a custom User model is a different question. There is a really good case to be made that if you ever think you’re going to need a custom user, go ahead and implement it at the start. See the docs at Customizing authentication in Django | Django documentation | Django

Question: Have you worked your way through either or both the Official Django Tutorial or the Django Girls Tutorial? I recommend them to everyone getting started. They really do help.

Thanks for your response!

The idea of using several apps started because we are migrating multiple Flask apps, which are completely unrelated to Django. We are doing so because we wanted to manage security and user access in just one site. Honestly I thought it would be possible to deny access to certain urls, so that was other reason about creating multiple apps (so only users with permissions to access app1 could access routes). But I think even having to apply security at a view layer, it would be nice to have the code of each app in different folders.

I will have to read the Custom authentication link, and probably will follow the Django Girls Tutoriala also. Then I will probably come later if I have any other doubts :sweat_smile:


Just a couple more thoughts for you to keep in mind:

  • Django != Flask: If you try to apply the mental-models learned in Flask to Django, you will likely end up confused and frustrated.

  • Apps != urls: There are no requirements forcing apps to have different url paths, nor are there any requirements or restrictions forcing all views in one app to reside within the same url path.

  • urls != views: You can have multiple urls calling the same view.