Designing access level aware views in Django

Question

When creating a page on a site that should display different information based upon who is looking at it, what is the most elegant design? A few possibilities I came up with:

1. Pass all data to the template, along with a variable that states what sort of privileges the user has, and have the template choose to display or not display based on that.

2. Have different versions of the template based on access levels.

3. Have different versions of the view based on access levels.

For a concrete example, say you have a page with a user's profile. If the user is logged in, they should see all their information. If a different user is logged in, they should only see what that user made public. If an administrator is logged in, they should see all the information and a set of administrative action buttons.

Answer 1

Version 1 is terrible. It places access logic in the template, potentially (accidentally) exposing things you probably don't want to expose.

You should absolutely not just pass everything to the template, relaying on another variable to determine display.

Do the filtering either in the view (presenting a single correct object to your template) or in the model somehow.

While it's not always 100% possible, one should strive to keep business logic out of templates.

If you need to have dramatically different templates depending on a user's role, then separate templates for each role is the way I'd do it.

Answer 2

Version 1 is your best bet. I would inject the values you need into the context via a context processor.