Proposed Design for Permissions

gistfile1.py

"""
Workflow:
1. User authenticates and OIDC provider returns permissions as comma-delimited list of globs.
2. When user access a course page, call has_access() to verify permissions.
   If no permissions, view should raise a 403 error. This can be accomplished with a mixin added to our existing views.
"""

# models.py
class UserCoursePermissons(models.Model):
  user = models.ForeignKey(User, primary_key=True)    #  Unsure if foreign key can also be primary key
  course_access_patterns = models.TextField()          # Using text field to avoid future issues with data overflow/truncation

# pipeline.py
def update_user_course_permissions(strategy, details, user=None, *args, **kwargs):
  if not user:
    raise ...
  
  patterns = details.get('analytics_api_courses')
  ucp, created = UserCoursePermissons.objects.get_or_create(user=user, defaults={'course_access_patterns': patterns})
  
  if not created:
    ucp.course_access_patterns = patterns
    ucp.save()
    
  return {}

# permissions.py
import fnmatch

def has_access(user, course_id):
	uca = UserCoursePermissons.objects.get(user=user)
	patterns = uca.course_access_patterns
	
	if not Patterns:
	  return False
	  
	patterns = patterns.split(',')
	
	return any(fnmatch.fnmatch(course_id, p) for p in patterns)