Limiting access to data through user permissions?

[Will Meyers]

Just need some help getting over a wall I've hit.

I have a web application that whenever a user signs up, is assigned a 
License. This License has CustomPermissions attached to it telling what 
values of a field within a materialized view they have access to. I have an 
API that needs to filter data requested against the User who requested it 
based on the User's license. I drafted some example models below that 
outlines my problem.

class CustomPermission(models.Model):
    name = models.CharField(max_length=255)
    field = models.CharField(max_length=255)
    value = models.CharField(max_length=255)

class License(models.Model):
    name = models.CharField(max_length=255)
    permissions = models.ManyToManyField(CustomPermissions)
    ...

class User(AbstractBaseUser):
    license = models.ForeignKey(License, on_delete=models.CASCADE)
    ...

This works fine if I'm only filtering columns with text values. I can just 
do

...
user = request.user
permissions = user.license.permissions.values_list('field', 'value')
return queryset.objects.filter(**{field: value for field, value in permissions})

This issue is that I cannot filter against other datatypes (datetimes for 
example). If I wanted to limit access to data published in the last 90 days 
for example, there's no way to represent that in this model.

To solve this I was thinking of using a sparse table for the 
CustomPermission model. Something like

class CustomPermission(models.Model):
    name = models.CharField(max_length=255)
    field = models.CharField(max_length=255)
    operation = models.CharField(max_length='32')
    text_value = models.CharField(max_length=255, null=True, blank=True)
    date_value = models.DateField(null=True, blank=True)

Where operation would be equal to '__gt', '__lt', ... things like that. I 
can then just do something similar as before

...
user = request.user
permissions = user.license.permissions.values_list('field', 'operation', 
'text_value', 'date_value')return queryset.objects.filter(**{fld + op: txt_val 
or dat_val for fld, op, txt_val, dat_val in permissions})

But this does not feel right, and can get messy quickly. Any suggestions?

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/1f8f1c2a-4c21-48a0-ae4d-a128f79a3d0co%40googlegroups.com.