A couple years ago, a branch in Django's repository was created to explore implementing finer-grained permissions (at the level of individual objects, rather than at the level of model classes). That branch is long since dead; it has not seen a commit in over two years, and likely will never be updated or integrated into Django in any meaningful way.

If you need finer-grained permissions in your own applications, it should be noted that Django's administrative application supports this, via the following methods which can be overridden on subclasses of ModelAdmin . Note that all of these methods receive the current HttpRequest object as an argument, allowing for customization based on the specific authenticated user:

queryset(self, request) : Should return a QuerySet for use in the admin's list of objects for a model. Objects not present in this QuerySet will not be shown.

: Should return a for use in the admin's list of objects for a model. Objects not present in this will not be shown. has_add_permission(self, request) : Should return True if adding an object is permitted, False otherwise.

: Should return if adding an object is permitted, otherwise. has_change_permission(self, request, obj=None ): Should return True if editing obj is permitted, False otherwise. If obj is None , should return True or False to indicate whether editing of objects of this type is permitted in general (e.g., if False will be interpreted as meaning that the current user is not permitted to edit any object of this type).

): Should return if editing is permitted, otherwise. If is , should return or to indicate whether editing of objects of this type is permitted in general (e.g., if will be interpreted as meaning that the current user is not permitted to edit any object of this type). has_delete_permission(self, request, obj=None ): Should return True if deleting obj is permitted, False otherwise. If obj is None , should return True or False to indicate whether deleting objects of this type is permitted in general (e.g., if False will be interpreted as meaning that the current user is not permitted to delete any object of this type).

For public-facing (i.e., non-admin) views, you are of course free to implement whatever form of permission-checking logic your application requires.