django-object-permissions Vs django-guardian Vs django-authority

Question

I've found 3 row-level permission solutions for Django 1.2+

• django-object-permissions
• django-guardian
• django-authority

Could someone tell if there is any recommended more than the others, what are their main differences, etc.?

Answer 1

I'll start this by saying we use none of these for object level permission - we use our own custom method and I really wish we hadn't. If you can avoid object level permissions at all, do so, they are a pain to organise.

This is how I evaluate the 3 apps you've mentioned.

Active Development:

1. django-guardian (1 week ago)
2. django-object-permissions (1 year ago)
3. django-authority (nearly 2 years ago)

API

1. django-guardian (save an instance of a defined model)
2. django-object-permissions (register permissions)
3. django-authority (define classes)

The above are in order by the way.

I'd recommend guardian purely on API alone, but the fact that it is still being developed where the others aren't usually means a big win.

Answer 2

As for Aug '13, django-object-permissions has been superseded by django-permission. The 3 projects are on active development.

Personally, I prefer authority or permission, which uses methods for checking permissions (runtime), rather than django-guardian which uses database to keep the permissions (attached upon object creation, f.e.).

-- EDIT --

Examples from the docs.

django-guardian

joe = User.objects.create(username='joe')
task = Task.objects.create(summary='Some job', content='', reported_by=boss)
joe.has_perm('view_task', task)
>> False
assign_perm('view_task', joe, task)
joe.has_perm('view_task', task)
>> True

You assign the permission and keep it in database.

django-authority

Declaration:

class FlatpagePermission(permissions.BasePermission):
    label = 'flatpage_permission'
    checks = ('morning_flatpage_check',)

    def morning_flatpage_check(self, flatpage):
        hour = int(datetime.datetime.now().strftime("%H"))
        if hour >= 8 and hour <= 12 and flatpage.url == '/about/':
            return True
        return False

authority.register(Flatpage, FlatpagePermission)

Usage:

def my_view(request):
    check = FlatPagePermission(request.user)
    flatpage_object = Flatpage.objects.get(url='/homepage/')
    if check.morning_flatpage_check(flatpage=flatpage_object):
        print "Yay, you can change *this* flatpage!"

It also wraps standard django permissions, but you can see the flexibility in the above custom permission which -AFAIK- you cannot do in guardian.

Common Usecase

A Student can belong to Classroom(s).

guardian:

1. When Student is assigned to new Classroom, attach permission 'attend_classroom' to Student over Classroom object.
2. When Student is removed from Classroom, remove 'attend_classroom' permission to Student over Classroom object.
3. When accessing Classroom, check 'attend_classroom' permission.

authority:

1. Define custom permission ClassroomPermission.can_attend_classroom(), which will query if Student belongs to Classroom.
2. When accessing Classroom, check ClassroomPermission.can_attend_classroom()

Authority keeps the checking logic in a separate file. Guardian needs attach/detaching permissions though the rest of the code.