integrate with django guardian to restrict user data access

[hburgund]

Most Roundware servers will host multiple projects each of which have different administrators so it is crucial that admins only have access to their own project(s). We use django guardian in the django admin to accomplish this and more detailed data access restrictions and we need a way to replicate this in the new admin.

It is possible that django guardian isn't the best way to do this anymore, so I am open to different approaches. A simple solution of restricting by project so that only projects accessible by the logged in user show up on the main screen will be a 90% solution. The other 10% of being able to restrict access at lower levels and by other criteria as guardian can do is nice to have, but not crucial. That said, if guardian is the best approach, might as well fully integrate its features.

[hburgund]

Maybe DRF allows for API calls to take into account which user is making them? Then probably all projects would show up on the overview, but only the ones the user has access to would actually show any data once you open them up. Will investigate.

Indeed, this appears promising:

http://www.django-rest-framework.org/api-guide/permissions/#djangoobjectpermissions