Intermediate security layer (Django/SQL)

Question

Given a table in MySQL with rows that have a 'Country' field, I need to provide permissions to users. Essentially, I want to be able to say "X user has access to Germany + France + Canada" but "Y user has access to France + United States". I think a good approach may be to use Django's groups (ie - have 1 group per country, and add people accordingly). My problem is that I want to make sure that I am querying against a set of authorized data, for security reasons.

One approach, for example, would be to create a view im MySQL for each possible combination (Germany only, Germany + France, nearly ad infinitum) but obviously this isn't feasible given the number of potential permutations. I could make 1 view per country, and query each one separately, but then I am putting a lot of pressure on the DB if a user is allowed access to say 20 different countries.

So, how can I efficiently and securely query this data to make 100% sure that I will only ever get back authorized data?

PS: not necessarily at the SQL level. If Django has some feature hat allows me to do this, I would be fine with that.

Answer 1

You could create a separate Country model with a many-to-many relationship to users and query across this relationship when you access models.

class Country(models.Model):
    name = models.CharField(max_length=64)
    iso_code = models.CharField(max_length=2)
    users = models.ManyToManyField("auth.User")

class MyModel(models.Model):
    country = models.ForeignKey(Country)
    ...

MyModel.objects.filter(country__users=current_user)