Users, permissions and groups - SACGF/variantgrid GitHub Wiki

We use Django Guardian for per-user object permissions.

Security

Subclass models with GuardianPermissionsMixin which provides a number of utility functions to handle permissions.

In views, use:

patient = Patient.get_for_user(request.user, patient_id) instead of ```get_object_or_404(Patient, pk=patient_id)``

To test views that accesses private data, add a entry to test_urls.py to ensure that PermissionDenied is raised for those without permission.

Groups

User creation calls a signal + adds all users to the "public" group, which is used to share data with everyone.

Administrators create groups and add users to them via Django admin

See also

• User / Lab Assignment
• Sharing - read the docs