Representing multiple users with permissions, groups, and boolean flags.


Context: For my first django site I am planning out my models and how I will represent the difference between a parent user and a kid user (basically–parents can add/manage children, children cannot). After doing some research, it seems that the best option will be to give parents custom permissions through a parent Group since the differences are small. (If you disagree, I would love to here what ideas you have.)

The default user model from contrib.auth has the flags is_staff and is_superuser. I am wondering, why have these separate flags when you could add the user to a group and check for permissions that way? My guess is that these flags must serve some purpose I am unaware of, or maybe they are redundant but there is something useful about it?

The reason I ask is that I am wondering whether I should add an is_parent and is_child flag to my user model. Alternatively, the way I understand them–I think I can use just groups. In fact, if the differences between parents and children are small, I suppose I could forget groups altogether (still figuring out how I am supposed to create these at deployment without using the admin page) and just add two or three custom permissions to a parent when I create them. Or what if there is just one custom permission called parent? (that’s a bad idea, right?)

I think my generic question can be boiled down to: when and why do you use Groups? when and why do you use boolean flags?


Couple different questions here - trying to split it out a little.

  • is_staff allows the user to use the admin facility
  • is_superuser is supposed to allow all privileges (has_perm is supposed to return true in all circumstances). (However, it is possible to create a situation where that doesn’t occur, leading to all sorts of interesting issues.)
  • Groups are useful for assigning multiple permissions to multiple people. For example, a group may be assigned a list of permissions such as ‘app1.add_model1’, ‘app1.change_model2’, ‘app2.view_model3’) This lets you “group” sets of permissions together such that people assigned to that group have all those assigned permissions.
  • Permissions in Django is generally intended to be rather discrete, which is why you’ll see so many permissions having been created of the form ‘app_name.add_model_name’, ‘app_name.view_model_name’, ‘app_name.change_model_name’, and ‘app_name.delete_model_name’, rather than at a higher level such as a generic “parent” permission. Rather, you would want to create a group named Parent which has the individual permissions assigned to it.
  • We use boolean flags in our custom User object for a very small number of very specialized permissions that reside “outside” the typical model-access permission. (For example, we would use a boolean flag if we needed to grant an individual the right to put a site into maintenance mode but not have any other administrative authority.)


1 Like