Is permissions management by table possible?

[pajot]

I understand that the OEP is intended to be fully open by design. but I have a use case that requires granular permissions management.

The OEP has user accounts and authentication. Does the current design allow for table-level permissions? For example, can I hide tables from unauthenticated users?

If not, what would have to be done to make this work?

[pajot]

I just saw the "Permissions" button in the table view. I will experiment with that first. Sorry! (Isn't it nice when users answer their own questions? :D)

[pajot]

Okay, there is a permissions manager, but I don't see a way to hide the table from view. I want to be able to either

1. Hide the table entirely, or
2. Not show a preview of a table.

[jh-RLI]

I would also have to think about it further. So far there is no such functionality as far as I know. But spontaneously, it might be possible to customize the content for a user by extending the Django templates using the template tags. E.g. If the user object is available as context, html content can be hidden from unauthenticated users:
{% if user.is_authenticated %} ..html... {% endif %}
If the functionality has to be implemented via the backend, the current permissions can also be requested via the user object and the content of the response can be adjusted. There are a number of implementation options that are beyond the scope of this discussion.

[pajot]

This is definitely a feature we need, so I'm going to look at the template extension approach first, since that seems the simplest. How do you see this from a security standpoint? Is it acceptable to approach it this way, or is a backend implementation more secure?

[jh-RLI]

IMO this is safe to use as it is managed by the django contect Processor.
There would also be another (similar) way to get the permission in the template, by using the django permissions proxy .