Suppose in an application there is a model "Service". There is also an "Orders" model which takes care of "User" purchases.
class Service(models.Model):
name = models.CharField(max_length=10)
class Order(models.Model):
service = models.ForeignKey(Service)
user = models.ForeingKey(get_user_model())
My question is what is better while checking access of a user to a service:
A> Storing and using per object permissions(saved in another table) with the help of third party libraries like Django guardian.
B> Computing the permission on each request. Example Permit if the user has bought that service (see the code below)
class IsPaidCustomer(BasePermission):
message = 'This action is allowed only for paid Customers.'
def has_permission(self, request, view):
course = request.data.get('service')
return bool(
request.user.order_set.filter(service__id=service).exists()
)
Does A. makes sense only in case of large computations? Or there is some other benefit of storing these permissions as well?
