Django: permissions based on property of model instance

Question

Assume that I have the following models:

from django.db import models


class Environment(models.Model):
    name = models.CharField(max_length=30, unique=True)


class Device(models.Model):
    # (some other fields)
    environment = models.ForeignKey(Environment, on_delete=models.CASCADE)

There are also two "permission levels":

• root: users with this level can edit and delete Devices
• regular_user: users with this level can view Devices

Each user for specified Environment should have either root or regular_user permission level, ie. in environment A he can be root and in environment B - regular_user.

For specifying that user has a certain permission level for selected environment, I use the solution described here (<permission_level_name>:<environment_id>, eg.: root:1). This can be a subject to change if it will help to resolve the problem.

User accesses data via Django REST Framework-based API.

How to prevent user with root permission level in environment A to edit (via API) Devices that are in environment B, where he has regular_user permission level?

Solutions like django-guardian allow to assign permissions per Device instance and Django Permissions allow to assign permissions per Model but what I am looking for is permission system based on property of Device instance.

Answer 1

You should be able to solve your problem with dry-rest-permissions It allows for fine grained control over permissions, actions etc

Example:

class Device(models.Model):
        # (some other fields)
        environment = models.ForeignKey(Environment, on_delete=models.CASCADE)

        def has_object_write_permission(self, request):
            return self.environment.is_root(request.user)