During the development stage of a Django app I’m working on I was exploring how to best implement rowlevel user ownerships. There are several ways to overwrite methods on object managers and even the Django admin interface is properly configurable to take a ownership from “request.user”.

But since wrongfull data disclosure is absolutely unacceptable I was still afraid that I would miss something somewhere. A nice example I ran into was populating a dropdown list in a form, where all records were visible instead of only those owned by the logged in user.

That got me thinking and eventually I wrote this small but sweet piece of middleware. Further elaboration below the code.

Update1: The ‘ORDER BY’ in the regex needs to be optional.
Update2: Django does a ‘try update’ in save_base() without owner (seperated the select statement)

The comment in the code above sums up how to get it working. What it does is print a warning and the query in question that does not respect ownership. If enabled while developing just keep track of your console output for:

Should you  have suggestion, criticism, or words of admiration then please, do tell me 🙂

GrtzG