[Fixed]-Will Django be a good choice for a permissions based web-app?

The Django permission system totally rules. Each model has a default set of permissions. You can add new permissions to your models, also.

Each User has a set of permissions as well as group memberships. Individual users can have individual permissions. And they inherit permissions from their group membership.

Your view functions (and templates) can easily check the presence of absence of those permissions at any level of granularity you need to use.

And if this isn’t enough for you, the Profile add-on gives you yet more options for defining a “User” and their capabilities, permissions, roles, responsibilities, etc.

And if this isn’t enough for you, you can define your own authentication schemes.

What’s important is not to try and define groups that are actual subsets of users, not casually defined titles or roles. You never need to “set permissions for a sub-set of a group”. You need to have smaller groups. Groups defined around subsets of people.

Django’s default permissions are around model access, not row access within a model. On the other hand, your problem is about subsets of rows in several models: Client, Store, Employee, Manager.

You’ll need a basic set of FK’s among these items, and some filters to subset the rows. You may have trouble doing this with default admin pages. You may need your own version of admin to make use of specialized filters.

If you can’t do it with the Django permission system, you should rethink your use cases. Seriously.

[The Django-REST Interface, however, is another beast entirely, and requires some care and feeding.]

ModelAdmin objects have has_add_permission, has_change_permission, has_delete_permission and queryset methods which can be used to enforce permissions around what the logged-in user can see and modify – you could create a subclass which uses these to enforce whatever permissions you want to implement and register all your models with the admin application using your subclass.

However, it all depends how exactly your permissions system will work – what are the exact requirements which fall out of your fine-grained permissions? The more you move away from what the admin application was designed to do, the more work it’ll take, but there are a lot of hooks in there which you can use to implement your custom requirements. Here’s a blog post from Luke Plant which gives examples of some of the fine-tuning you can do without having to dig too deep.

Does it absolutely have to be based around the admin application? Generic views and ModelForms can take care of a lot of the tedious bits involved in implementing CRUD , so be wary of getting too hung up on customising admin – it’s almost a Django tradition to start by getting hung up on the admin app and what it can and can’t do, initially thinking you’ll never have to write any code again 😉

From django 1.2 there is support for row-level permissions, which django-guardian makes very intuitive to handle.

You may also want to have a look at the granular-permissions monkeypatch:
http://code.google.com/p/django-granular-permissions/

It adds row-level permissions to django’s permission system.

I’ve just found http://bitbucket.org/jezdez/django-authority/ , it looks promising.