I just released my first version of a Role-Based Access Control system for permissions in Django.

Development code can be found in BitBucket: http://bitbucket.org/nabucosound/django-rbac/

The project's page is here


First of all, I would like to show some drawbacks of Django's current permission system:

  • Permissions are tied directly to the User model from django.contrib.auth, so you cannot use any other existing model in your application.
  • The task of mantaining this list of permissions in the current Django system is responsibility of a superuser or some other kind of centralized entity.
  • You can certainly assign permissions to Group model instances, but all users in this group will share the same permissions.
  • Last, but not least, until Django v1.2 will come and ticket #11010 implemented, the permission system is model-level -- it doesn't allow granular permissions (row-level), which means you can give a user authorization to do something based on all instances of a model class, but not to a single model instance (an object).

Many applications, and specially today's web applications -- which involve concepts as collaboration or content driven by the users -- need the flexibility to support delegation of permission granting to objects by other trusted agents. A clear example is a social networking site, where the users want to allow or deny access to their profiles or pictures, open or close their different communication channels like receiving friendship requests or private messages. django-rbac tries to champion this by introducing some key features from the Role-Based Access Control (RBAC) proposal. In this implementation users (subjects) are assigned different roles that, in turn, have (or not) privileges over objects. With this permission system, the owner of an object can give privileges to certain roles. For example, a user can grant access to other users trying to read some personal info only if they belong to, at least, one of the roles specified in the permission rule.

I initially developed the first version of this app for a social network, to give its users the ability to control who has privileges upon their profiles, photo albums, personal information, and such. If you are in a similar situation, you'll find that django-rbac suits perfect for your purposes. But, as long as a general-purpose access control is being implemented, even if you are building any other kind of application which needs this level of permission control, django-rbac will help you out. I think I have made it enough generic to match a wide range of use cases.