2

I need a Django model where a User can have a Function with any number of Organisations. His permissions (change, view, delete) with the organization are determined by his Role. I am pretty sure I only need an "admin" and a "member" role.

This would require row-level permissions, so I decided to go with django-guardian. I am having trouble choosing the proper model design. These are the alternatives

enter image description here

The first one would have the advantage of creating new roles, but I don't think I need that. Also I can enforce unique_together so that a User can only have 1 function at every company. Would I set the can_change permission at the Role and infer the row level permission based on the relation between User and Organization? The would mean I do not even need django-guardian, right?

The second one looks much simpler, but maybe that is deceptive. The permissions would have to be set as soon as a User is added to an Organization and are definitely row-level.

What is the right strategy here?

To clarify: in both cases a user can be an admin of one organization and simply a member of another organization.

Roy Prins
  • 2,790
  • 2
  • 28
  • 47
  • My question is sadly not getting any responses. Please do comment if you think it can be improved or should be asked somewhere else. – Roy Prins Mar 01 '15 at 12:01
  • 1
    I found it exceedingly hard to implement it with `django-guardian`, so I started developing `django-trusts`. It does not solve your problem per se, but untangle the organizations model from a permissions models might make it more doable. With `django-trusts`, you can assign a trust base on his organization role. – Thomas - BeeDesk Dec 30 '15 at 06:34

1 Answers1

3

Use the Party Model.

A user is not a person, it's a user. Person and organization are parties. A party hasOne (or no) user.

A person hasMany (many2many) relationships with an organization:

Individual -< Relationship >- Organization

Organizations can have relationships with each other too.

Neil McGuigan
  • 46,580
  • 12
  • 123
  • 152
  • That is a new and interesting concept for me to digest. I quickly took it in, but it looks like my application has some aspects that are less than suited for the Party Model. Some of the data will be highly hierarchical / relational and perfectly suited for a conventional model. I rely heavily on ORM and I like having meaningful object names to make sense of relationships. Finally I think that the added flexibility will ever be needed and the patterns above would suffice. I know that is a bold claim to make. Please let me know if I misunderstand the Party Model (as it is new to me). – Roy Prins Mar 08 '15 at 22:33
  • 1
    @RoyPrins most relationships are really network/graphical, not hierarchical. For example, a person could work for two companies, or could be both a customer and supplier. ORMs like hibernate work well with the Party model (use @Inheritance). Most companies sell to both individuals and organizations, so the Party model is kind required in that case. See data modeling books by Silverston and Hay. – Neil McGuigan Mar 08 '15 at 23:12
  • Look like I downvoted your answer by accident, but stackoverflow doesn't allow me to fix it now because it was "voted within the last 24 hours". Sorry about that. – Thomas - BeeDesk Dec 30 '15 at 18:51
  • @Thomas-BeeDesk corrected it with an extra upvote ;) – gabn88 Feb 05 '21 at 15:07
  • @gabn88, stackoverflow now says i cannot do it because the vote was made too long ago... – Thomas - BeeDesk Feb 20 '21 at 21:29