I need help with making custom group and permissions

First of all, I’m sorry for messed up question here.
I’m a bit confused right now because of searching for this.

I’m trying to make a website to manage reservation schedule for the store chain.
So, I made branch management, timetable management and custom user model yet.

What I’ve done and want to make is this.

  • Information

    • The ‘branch info’ here means branch name, open time, close time, count of equipment, address, phone number
    • Timetable is consist of id, foreign key branch, is holiday or not, period, start time and end time
  • Done

    • In my custom user model, each user is seperated into three.
      • Superuser (the user whose boolean field ‘is_superuser’ is True and ‘is_staff’ is also True)
      • Staff (the user whose only boolean field ‘is_staff’ is True)
      • Normal user (the user whose all boolean fields above is ‘False’)
    • Each user have the branch they are belonging to (foreign key ‘branch’).
      • Even superuser have their branch and I made ‘Development’ branch for developer.
  • Want to make

    • Each user except superuser can do
      • View their own branch’s info
      • View their own branch’s timetable
      • View their own branch’s schedule.
    • Staffs can do
      • View, edit their own branch’s users’ info (normal user and other staffs)
      • View, edit their own branch’s branch info (can’t delete)
      • View, edit their own branch’s timetable
      • View, add, edit, delete their own branch’s schedule
    • Superusers can do
      • In short, they can do everything.
        • View, add, edit, delete all branches and branches’ info
        • View, add, edit, delete all users and users’ info
        • View, add, edit, delete all branches timetables
        • View, add, edit, delete all branches schedules

What I think as solutions are these.

  1. Make each branch as group and give permissions by user, staff, superuser
  2. Make user, staff, superuser as group and filter object by branch as foreign key
    When I made model for user and timetable, each model have branch as foreign key.

What I want to know is which one is applicable or have better solution and how to make it.

What I would strongly suggest is that you don’t re-use the is_superuser and is_staff flags for your own application. My advice is to leave them alone for their originally intended purpose - controlling access to the admin.

Use the Django Group and Permission models for this purposes. Create Groups for Superuser, Staff, etc.

Assign appropriate permissions to each of those groups, and implement your view-level security accordingly.

See the thread at How to create Workspaces and manage them for all the users in Django? for a recent conversation of this type of topic.

For the solutions you propose, I’m more in favor of #2.

By the way, it’s out of the topic question, but I have one.
Should I flag both ‘is_staff’ and ‘is_superuser’ to superuser, only ‘is_superuser’ is enough, or it’s differ by how I make permissions configuration?

If you’re talking about the Django admin, is_superuser bypasses all security tests. The is_staff allows for access to the admin but is constrained by permissions within the admin.

If you’re talking about your application, then I’d say “Neither”.

I wouldn’t make is_staff or is_superuser any part of my application’s security infrastructure.

I’d make group membership the only basis for that.

Got it :smile:
Thank you for your generous answers full of kindness.
I feel like I’m free of burden of my mind for now.

Sorry for extra question.
You said you strongly suggest not to re-use and keep is_superuser and is_staff for controlling access to admin, right?
Then, it means that I can use those flags in my custom user model(it’s AUTH_USER_MODEL in settings.py) if I want to allow staffs and superusers to use admin, right?

Absolutely yes. That’s what those fields are for.

Thanks again :grin:
Now I should move on.