Advanced Permissioning

02:15 PM - 03:10 PM on July 16, 2016, Room CR5

Jack McCloy

Audience level:

intermediate

Watch:

https://www.youtube.com/watch?v=90T5D4KUjWI

Description

In many Django applications, permissioning (building rules for who has access to what) is pretty easy. Logged out users can see some stuff, logged in users can see more stuff, and superusers can see (and edit, and delete) all of the stuff! But when you want to handle more complex permissioning (like object-level permissions), it can get pretty ugly. This talk will help to de-uglify things for you.

Abstract

Basic permissioning in Django is pretty easy. And for many sites, basic permissioning is all that you need. But if what you're building doesn't fall into this category, things can get ugly fast...

So what's the difference between basic permissioning and advanced permissioning? In short, basic permissioning is when the Django's built in model-level permissions system is enough.

Hickory Training, my last company, provides training lessons that the employees of our customers would take. We needed to implement a system of permissions where people inside a particular company could see their lessons without having the ability to view those of another company. We also needed to provide different levels of access within each company - users who could only view the lessons, superusers who could view and edit the lessons, and managers who could view data about the lessons but not alter the lessons themselves. Furthermore, we wanted to take advantage of Django groups to easily manage permissions for entire sets of users, rather than for individuals. Needless to say, it got complicated very fast.

In this talk we'll talk about what you can do with Django's model-level permissions, and also it's limitations.

Then, we'll dive into the deep dark world of object-level permissioning. We'll look at django-guardian, the most popular package to manage object level permissions, walking through the challenges and considerations you'll have have to make when Django's out-of-the-box permissions aren't enough.

Finally, we'll also talk about how your shiny new permissioning architecture will work in the context of your larger site, with an example that uses the ever-popular Django Rest Framework.