Object-sided permissions: Looking for improvements

Using Django
1

Object-sided permissions: Looking for improvements

Hi,

Context

I’m currently working on a web application.
This app aims to improve online educational system.

While working on refactoring the code, to detach the business rules from the User Interface.
I have encountered some issues working on permissions.

If you want, you can find more information about the project here.

Issue

In our system, we have multiple objects:

  • Courses (contains Activities)
  • Activities (contains Resources)
  • Resources
    These objects also have some kinds of property like public, students only, collaborators (Non-Editor Teacher, Teacher, Owner) only and private.

And multiple roles with different kind of permissions:

  • Student (Read)
  • Non-Editor Teacher (Read)
  • Teacher (Read, Modify)
  • Owner (Read, Modify, Delete)

We currently have a working system, but we are looking for a better way.

So, we have some permissions associated with the roles:

PERMISSIONS_FOR_ROLE = {
    "students": ["view", "view_similar"],
    CollaboratorRole.TEACHER.name: [
        "view", "view_hidden", "view_similar", "add", "change", "view_collaborators", "view_students", "add_student",
        "change_student", "delete_student", "add_objective", "view_objective", "delete_objective", "change_objective",
    ],
    CollaboratorRole.NON_EDITOR_TEACHER.name: [
        "view", "view_hidden", "view_similar", "view_collaborators", "view_students", "view_objective"
    ],
    CollaboratorRole.OWNER.name: [
        "view", "view_hidden", "view_similar", "add", "change", "delete",
        "change_privacy",
        "view_students", "add_student", "change_student", "delete_student",
        "view_collaborators", "add_collaborator", "change_collaborator", "delete_collaborator",
        "add_objective", "view_objective", "delete_objective", "change_objective",
    ]
}

And we associate the user to an object with a role.

dbInfo
dbInfo1217×90 11.6 KB

Note: Someone can have access to a course but may not have access to the activities inside. Same for resources in an activity.

Example

John is a:

  • Creator → CourseA (Read, Modify, Configure, Delete)
  • Student → CourseB (Read)
  • Teacher → ActivityC (Read, Modify)

Julia is a:

  • Owner → CourseA (Read, Modify, Delete)
  • Creator → CourseB (Read, Modify, Configure, Delete)

ResourceD is public so everyone can read. Even non-logged in users.

Attempt

We already tried to use django-guardian, but this implies huge code manipulation.

Thanks for your answers!

2

You’ve provided the system you’ve implemented, and your question is “looking for improvements”. However, you haven’t really identified what needs to be improved, or what’s not working as desired or intended.

Assuming you’re using the built-in groups facility for your roles, you’re building your permissions system pretty much as intended, so I’d say there’s not much in the way of improvements to offer - unless there’s a situation or condition that your current design can’t implement.