About This Talk
Over the last few years, I have run into the same multitenancy use case across different projects. This scenario is a “lightweight” multitenancy use case, where we have a tenant model and tenants are instances of this model; all tenants share the same database, schema, and application instance. Resources belong to a single tenant, but users can belong to multiple tenants. Almost all API routes need to be nested under the tenant id, with urls of the form
api/tenants/tenant-id/some-resource. The challenges we faced were how to effectively nest our API urls and how to consistently restrict access to resources, so that users could only access those resources that belong to tenants that the user has permission to access.
- A brief description of the use case and multitenancy
- How we implemented nested routes in our API using drf-nested-routers
- How we wrote a custom viewset to centralize all logic related to checking that the user has permission to access resources under a specific tenant
- Custom model manager to avoid accidentally leaking information from other tenants
- Uses and limitations of our approach
- A different approach using an existing library (drf-access-policy)
Anyone with experience in Django is welcome!
Eliana Rosselli (she/her)
Eliana is a Computer Engineer with 3+ years of experience working as a fullstack developer on end-to-end product development projects. She’s passionate about good quality code and unit tests, and was previously a teacher assistant for a Data Structures and Algorithms course at UTU (Uruguay). She currently works as a fullstack developer at Octobot, using technologies like Django and ReactJs.