I am trying to provide a user interface for writing custom database queries. I need to make sure that they can only request records that are allowed to them. For this, I decided to apply row-based access control using django-guardian .
This is how my circuits look
class BaseClass(models.Model): somefield = models.TextField() class Meta: permissions = ( ('view_record', 'View record'), ) class ClassA(BaseClass):
I would like to be able to use get_objects_for_group as follows:
>>> group = Group.objects.create('some group') >>> class_c = ClassC.objects.create('ClassC') >>> class_b = ClassB.objects.create('ClassB', classc=class_c) >>> class_a = ClassA.objects.create('ClassA', classb=class_b) >>> assign_perm('view_record', group, class_c) >>> assign_perm('view_record', group, class_b) >>> assign_perm('view_record', group, class_a) >>> get_objects_for_group(group, 'view_record')
This gives me a QuerySet. Is it possible to use the base class that I defined above and write a raw query for other related classes?
>>> qs.intersection(get_objects_for_group(group, 'view_record'), \ BaseClass.objects.raw('select * from table_a a' 'join table_b b on a.id=b.table_a_id ' 'join table_c c on b.id=c.table_b_id ' 'where some conditions here'))
Does this approach make sense? Is there a better way to solve this problem?
Thanks!
Edit:
Another way to solve the problem could be to create a separate table for each user. I understand that this can add to my application, but:
- The number of users will not be more than 100 seconds for a long time. Not a consumer app.
- In our use case, it is rather unlikely that I will need to query these tables. I will not write a query that should aggregate something from table1, table2, table3, which belongs to the same model.
- Maintaining a separate table for each client can be an advantage.
Do you think this is a viable approach?