Django Groups and Permissions. Extending Groups to have a FK?

Question

I'm working on a product that allows different schools to administer their content online.

Part of this involves setting up a role based access control logic which I've written myself. Essentially, each school has its own set of roles that have their own set of permissions. A user of the software could belong to mulitple schools with differing roles at any given time.

For various reasons, I want to ditch this and instead use Django's Groups and Permissions together with a library like django-guardian. The problem that I am facing is how should I go about extending the Groups model such that I can include a Foreign Key to each new school and still be able to use the helper methods in Django and also libraries like django-guardian.

One possibly approach I came up with is to simply create groups based on event names such as 'School 1 - Admin', 'School 1 - Teacher', 'School 2 - Admin', 'School 2 - Teacher' and query permissions based on this instead. Is there a good reason why I shouldn't do it this way?

Answer 1

Upon closer inspection, django-guardian was able to solve my needs. I wrote about my full implementation here: http://pragmaticstartup.wordpress.com/2012/06/26/django-guardian-a-full-access-control-logic-acl-example/

Answer 2

Why not mix both approaches in? Django model allows for inheritence. First define the Role model, with allowed roles and a school model.

You can then inherit a new model from django.contrib.auth.Group say GroupRole. Django will create a new db table for your model only containing the properties not originally in group with a foreignkey to the appropriate group with constraints. Even better, you will get an automatic reverse relationship to the original group model, so you can write something like:

class GroupRole(Group):
    role = models.ForeignKey(Role)
    school = models.ForeignKey(School)
    ...

g = Group.objects.get(id=1)
# you can access standard group items here g.<attribute> or g.grouprole.<attribute>
# you can access GroupRole attributes by doing g.grouprole.<some_attribute>

GroupRole.objects.filter(role__type='admin', school__location__state='NY')

On a fun note, the relationship is reflective so something like this is valid if not too useful:

g.grouprole.grouprole.grouprole.grouprole.role

If you get a base group instance that does not have a grouprole proxy associated with it then you will get an exception thrown:

g = Group.objects.create(name='myplaingroup')
try:
    print g.grouprole
except GroupRole.DoesNotExist:
    print 'This is a normal group'

Alternatively you can override this behavior to return None instead of raising an exception or even provide a default GroupRole instead.