how to create django groups and handle permission dynamically

Question

I am using django-userena application to handle user-registration, user-profile and log-in. Now I'm writing an application where -

1. A user can create a course(course is like a profile where we store information about course).
2. Other users can register for this course. Registration requires course creator's approval.
3. Only course creator can edit the course page and he can create an assignment for the course.
4. All users who registered for the course can see course page and assignment of the course(Read-only).
5. A course creator can provide permission to other users to edit all assignments of a course.

One way out is -- Create two groups creator and modifier. Now creator group can edit course page and modifier's member can modify assignments of that particular course. Problem with this solution is once we add a user to creator group it automatically gets permission to edit all courses. Similarly a member of modifier group can edit all assignments of all courses. This is not required.

How should I architect this application?

Answer 1

You can either have two different groups attached to each course and create them when the course is created:

class Course(models.Model):
  creators = models.ForeignKey(Group)
  modifiers = models.ForeignKey(Group)

So this way you can set permssion to this group. And you can use django-guardian to assign and check for this permission. Something like this:

assign_perm('edit_course', group, course)

and then check user if he can edit this course ( it will check group permission from user group automatically )

user.has_perm("edit_course",course)

Answer 2

An alternative is django-authority, which can check permissions dynamically by methods rather than persisting them in DB.

The difference Django-guardian is, in your example, when an user moves to another course you will have to deassign the permission on the old group and assign the new one explicitly.

With authority, a function can_edit_course(user, course) (pseudocode) and the access decided in runtime.

Answer 3

What you basically want is row-level permission.

You might get some idea from row level permissions in django

Other way is you can keep two fields on your model Course..

class Course(models.Model):
    creator = models.ForeignKey(User)
    modifiers = models.ManyToManyField(User)

So, check if the user is the creator and then only allow to edit the course.

Check is user is in course.modifiers.all() and then allow him to modify.

Creator will have access to another page where is can add the modifiers for the course.