How do I enforce domain integrity in a Django app transparently?

Here's the situation. I've got an app with multiple users and each user has a group/company they belong to. There is a company field on all models meaning there's a corresponding company_id column in every table in the DB. I want to transparently enforce that, when 开发者_StackOverflow社区a user tries to access any object, they are always restricted to objects within their "domain," e.g. their group/company. I could go through every query and add a filter that says .filter(company=user.company), but I'm hoping there's a better way to do at a lower level so it's transparent to whoever is coding the higher level logic.

Does anyone have experience with this and/or can point we to a good resource on how to approach this? I'm assuming this is a fairly common requirement.

You could do something like this:

from django.db import models
from django.db.models.query import QuerySet

class DomainQuerySet(QuerySet):
    def applicable(self, user=None):
        if user is None:
            return self
        else:
            return self.filter(company=user.company)

class DomainManager(models.Manager):
    def get_query_set(self):
        return DomainQuerySet(self.model)
    def __getattr__(self, name):
        return getattr(self.get_query_set(), name)

class MyUser(models.Model):
    company = models.ForeignKey('Company')

    objects = DomainManager()

MyUser.objects.applicable(user)

Since we are using querysets, the query is chainable so you could also do:

MyUser.objects.applicable().filter(**kwargs)