feat: support multiple user groups for anonymized data access

Author: CuriousLearner

README.md

@@ -71,7 +71,7 @@ class ReportView(AnonymizedDataMixin, ListView):
 
 # Automatic Group-Based (Middleware)
 # Users in 'analysts' group see anonymized data everywhere
-POSTGRES_ANON = {'MASKED_GROUP': 'analysts'}
+POSTGRES_ANON = {'MASKED_GROUPS': ['analysts', 'qa_team']}
 ```
 
 **Installation**: `pip install django-postgres-anonymizer` → Add to `INSTALLED_APPS` → `python manage.py migrate`
@@ -351,7 +351,7 @@ MIDDLEWARE = [
 
 POSTGRES_ANON = {
     'ENABLED': True,
-    'MASKED_GROUP': 'analysts',  # Users in this group see anonymized data
+    'MASKED_GROUPS': ['analysts', 'qa_team'],  # Users in these groups see anonymized data
     'DEFAULT_MASKED_ROLE': 'masked_reader',
 }
 ```
@@ -781,7 +781,7 @@ Configuration follows [12-factor app principles](https://12factor.net/config). S
    ```bash
    export POSTGRES_ANON_ENABLED=true
    export POSTGRES_ANON_DEFAULT_MASKED_ROLE=masked_reader
-   export POSTGRES_ANON_MASKED_GROUP=view_masked_data
+   export POSTGRES_ANON_MASKED_GROUPS=analysts,data_scientists,external_auditors
    export POSTGRES_ANON_AUTO_APPLY_RULES=false
    export POSTGRES_ANON_VALIDATE_FUNCTIONS=true
    export POSTGRES_ANON_ALLOW_CUSTOM_FUNCTIONS=false
@@ -795,7 +795,7 @@ Configuration follows [12-factor app principles](https://12factor.net/config). S
        # Core settings
        'DEFAULT_MASKED_ROLE': 'masked_reader',     # Default role for anonymization
        'ANONYMIZED_DATA_ROLE': 'masked_reader',    # Role for anonymized_data()
-       'MASKED_GROUP': 'masked_users',             # Django group for middleware
+       'MASKED_GROUPS': ['analysts', 'data_scientists', 'external_auditors'],  # Django groups for middleware
 
        # Behavior settings
        'ENABLED': True,                            # Enable anonymization features

django_postgres_anon/config.py

@@ -13,7 +13,7 @@ def get_setting(key: str, default=None):
 # Default values (moved from constants.py to keep config self-contained)
 DEFAULTS = {
     "DEFAULT_MASKED_ROLE": "masked_reader",
-    "MASKED_GROUP": "view_masked_data",
+    "MASKED_GROUPS": ["view_masked_data"],
     "ANONYMIZED_DATA_ROLE": "masked_reader",
     "ENABLED": False,
     "AUTO_APPLY_RULES": False,
@@ -25,7 +25,7 @@ def get_setting(key: str, default=None):
 # Environment variable mappings (12-factor compliant)
 ENV_VAR_MAPPING = {
     "DEFAULT_MASKED_ROLE": "POSTGRES_ANON_DEFAULT_MASKED_ROLE",
-    "MASKED_GROUP": "POSTGRES_ANON_MASKED_GROUP",
+    "MASKED_GROUPS": "POSTGRES_ANON_MASKED_GROUPS",
     "ANONYMIZED_DATA_ROLE": "POSTGRES_ANON_ANONYMIZED_DATA_ROLE",
     "ENABLED": "POSTGRES_ANON_ENABLED",
     "AUTO_APPLY_RULES": "POSTGRES_ANON_AUTO_APPLY_RULES",
@@ -49,6 +49,9 @@ def get_anon_setting(key: str):
         # Handle boolean conversion for known boolean settings
         if key in ["ENABLED", "AUTO_APPLY_RULES", "VALIDATE_FUNCTIONS", "ALLOW_CUSTOM_FUNCTIONS", "ENABLE_LOGGING"]:
             return _parse_env_bool(env_value)
+        # Handle comma-separated groups
+        if key == "MASKED_GROUPS":
+            return [group.strip() for group in env_value.split(",") if group.strip()]
         return env_value
 
     # Fall back to Django settings

django_postgres_anon/middleware.py

@@ -14,7 +14,7 @@ class AnonRoleMiddleware:
     """
     Middleware for dynamic role switching based on user permissions.
 
-    Users in the ANON_MASKED_GROUP will see anonymized data automatically.
+    Users in any of the ANON_MASKED_GROUPS will see anonymized data automatically.
     """
 
     def __init__(self, get_response: Callable[[HttpRequest], HttpResponse]) -> None:
@@ -26,10 +26,11 @@ def __call__(self, request: HttpRequest) -> HttpResponse:
         try:
             # Check if user should have data masked - defensive against user access issues
             try:
+                masked_groups = get_anon_setting("MASKED_GROUPS")
                 should_mask = (
                     get_anon_setting("ENABLED")
                     and request.user.is_authenticated
-                    and request.user.groups.filter(name=get_anon_setting("MASKED_GROUP")).exists()
+                    and request.user.groups.filter(name__in=masked_groups).exists()
                 )
             except Exception:
                 # If there's any issue with user/group access, default to no masking

example_project/.env.example

@@ -28,7 +28,7 @@ ANON_ENABLE_LOGGING=true
 ANON_BATCH_SIZE=1000
 ANON_USE_TRANSACTIONS=true
 ANON_DEFAULT_MASKED_ROLE=masked_reader
-ANON_MASKED_GROUP=view_masked_data
+ANON_MASKED_GROUPS=view_masked_data,analysts,qa_team
 ANONYMIZED_DATA_ROLE=masked_reader
 
 # Logging

example_project/README.md

@@ -239,10 +239,11 @@ Use different settings for development, staging, and production:
 
 ```python
 # settings_production.py
-DJANGO_POSTGRES_ANON = {
+POSTGRES_ANON = {
     'AUTO_APPLY_RULES': False,  # Never auto-apply in production
     'VALIDATE_FUNCTIONS': True,  # Always validate
     'ALLOW_CUSTOM_FUNCTIONS': False,  # Restrict to built-in functions
+    'MASKED_GROUPS': ['qa_team', 'external_auditors'],  # Multiple groups for production
 }
 ```
 

example_project/example_project/settings.py

@@ -145,7 +145,7 @@
     "ALLOW_CUSTOM_FUNCTIONS": os.getenv("ANON_ALLOW_CUSTOM_FUNCTIONS", "False").lower() in ("true", "1", "yes"),
     "ENABLE_LOGGING": os.getenv("ANON_ENABLE_LOGGING", "True").lower() in ("true", "1", "yes"),
     "DEFAULT_MASKED_ROLE": os.getenv("ANON_DEFAULT_MASKED_ROLE", "masked_reader"),
-    "MASKED_GROUP": os.getenv("ANON_MASKED_GROUP", "view_masked_data"),
+    "MASKED_GROUPS": os.getenv("ANON_MASKED_GROUPS", "view_masked_data,analysts,qa_team").split(","),
     "ANONYMIZED_DATA_ROLE": os.getenv("ANONYMIZED_DATA_ROLE", "masked_reader"),
 }
 

tests/settings.py

@@ -103,15 +103,15 @@
 
 
 # Django PostgreSQL Anonymizer Settings
-DJANGO_POSTGRES_ANON = {
+POSTGRES_ANON = {
     "DEFAULT_MASKED_ROLE": "test_masked_reader",
+    "MASKED_GROUPS": ["view_masked_data"],
+    "ANONYMIZED_DATA_ROLE": "test_masked_reader",
+    "ENABLED": True,
     "AUTO_APPLY_RULES": False,
-    "DEFAULT_PRESET": None,
-    "ENABLE_LOGGING": True,
     "VALIDATE_FUNCTIONS": True,
     "ALLOW_CUSTOM_FUNCTIONS": False,
-    "BATCH_SIZE": 100,
-    "USE_TRANSACTIONS": True,
+    "ENABLE_LOGGING": True,
 }
 
 # Logging configuration for testing

tests/test_core.py

@@ -275,7 +275,7 @@ class TestAnonConfiguration:
         "prop",
         [
             "default_masked_role",
-            "masked_group",
+            "masked_groups",
             "anonymized_data_role",
             "enabled",
             "auto_apply_rules",
@@ -294,7 +294,7 @@ def test_config_has_essential_properties(self, prop):
         "prop",
         [
             "default_masked_role",
-            "masked_group",
+            "masked_groups",
             "anonymized_data_role",
             "enabled",
             "auto_apply_rules",

tests/test_edge_cases.py

@@ -332,7 +332,7 @@ def test_configuration_system_provides_reasonable_defaults():
     # Test: Access all configuration properties
     essential_properties = [
         "default_masked_role",
-        "masked_group",
+        "masked_groups",
         "anonymized_data_role",
         "enabled",
         "auto_apply_rules",

tests/test_middleware_database.py

@@ -61,7 +61,7 @@ def test_middleware_switches_to_masked_role_successfully(
                     def mock_setting(key):
                         settings_map = {
                             "ENABLED": True,
-                            "MASKED_GROUP": "view_masked_data",
+                            "MASKED_GROUPS": ["view_masked_data"],
                             "DEFAULT_MASKED_ROLE": "masked_reader",
                         }
                         return settings_map.get(key)
@@ -90,7 +90,7 @@ def test_middleware_handles_role_switch_failure(self, request_factory, mock_get_
                     def mock_setting(key):
                         settings_map = {
                             "ENABLED": True,
-                            "MASKED_GROUP": "view_masked_data",
+                            "MASKED_GROUPS": ["view_masked_data"],
                             "DEFAULT_MASKED_ROLE": "masked_reader",
                         }
                         return settings_map.get(key)
@@ -123,7 +123,7 @@ def test_middleware_sets_search_path_after_role_switch(
                         def mock_setting(key):
                             settings_map = {
                                 "ENABLED": True,
-                                "MASKED_GROUP": "view_masked_data",
+                                "MASKED_GROUPS": ["view_masked_data"],
                                 "DEFAULT_MASKED_ROLE": "masked_reader",
                             }
                             return settings_map.get(key)
@@ -155,7 +155,7 @@ def test_middleware_handles_search_path_error(self, request_factory, mock_get_re
                         def mock_setting(key):
                             settings_map = {
                                 "ENABLED": True,
-                                "MASKED_GROUP": "view_masked_data",
+                                "MASKED_GROUPS": ["view_masked_data"],
                                 "DEFAULT_MASKED_ROLE": "masked_reader",
                             }
                             return settings_map.get(key)
@@ -186,7 +186,7 @@ def test_middleware_resets_role_in_finally_block(self, request_factory, mock_get
                         def mock_setting(key):
                             settings_map = {
                                 "ENABLED": True,
-                                "MASKED_GROUP": "view_masked_data",
+                                "MASKED_GROUPS": ["view_masked_data"],
                                 "DEFAULT_MASKED_ROLE": "masked_reader",
                             }
                             return settings_map.get(key)
@@ -215,7 +215,7 @@ def test_middleware_handles_role_reset_failure(self, request_factory, mock_get_r
                     def mock_setting(key):
                         settings_map = {
                             "ENABLED": True,
-                            "MASKED_GROUP": "view_masked_data",
+                            "MASKED_GROUPS": ["view_masked_data"],
                             "DEFAULT_MASKED_ROLE": "masked_reader",
                         }
                         return settings_map.get(key)
@@ -250,7 +250,7 @@ def test_middleware_handles_search_path_reset_error(
                         def mock_setting(key):
                             settings_map = {
                                 "ENABLED": True,
-                                "MASKED_GROUP": "view_masked_data",
+                                "MASKED_GROUPS": ["view_masked_data"],
                                 "DEFAULT_MASKED_ROLE": "masked_reader",
                             }
                             return settings_map.get(key)
@@ -279,7 +279,7 @@ def test_middleware_doesnt_switch_for_user_without_group(
                     def mock_setting(key):
                         settings_map = {
                             "ENABLED": True,
-                            "MASKED_GROUP": "view_masked_data",
+                            "MASKED_GROUPS": ["view_masked_data"],
                             "DEFAULT_MASKED_ROLE": "masked_reader",
                         }
                         return settings_map.get(key)
@@ -306,7 +306,7 @@ def test_middleware_bypasses_when_disabled(self, request_factory, mock_get_respo
                     def mock_setting(key):
                         settings_map = {
                             "ENABLED": False,  # Disabled
-                            "MASKED_GROUP": "view_masked_data",
+                            "MASKED_GROUPS": ["view_masked_data"],
                             "DEFAULT_MASKED_ROLE": "masked_reader",
                         }
                         return settings_map.get(key)
@@ -337,7 +337,7 @@ def failing_get_response(_request):
                     def mock_setting(key):
                         settings_map = {
                             "ENABLED": True,
-                            "MASKED_GROUP": "view_masked_data",
+                            "MASKED_GROUPS": ["view_masked_data"],
                             "DEFAULT_MASKED_ROLE": "masked_reader",
                         }
                         return settings_map.get(key)
@@ -367,7 +367,7 @@ def test_middleware_with_custom_masked_role(self, request_factory, mock_get_resp
                     def mock_setting(key):
                         settings_map = {
                             "ENABLED": True,
-                            "MASKED_GROUP": "view_masked_data",
+                            "MASKED_GROUPS": ["view_masked_data"],
                             "DEFAULT_MASKED_ROLE": "custom_masked_role",
                         }
                         return settings_map.get(key)
@@ -401,7 +401,7 @@ def test_middleware_handles_database_connection_error(
                 def mock_setting(key):
                     settings_map = {
                         "ENABLED": True,
-                        "MASKED_GROUP": "view_masked_data",
+                        "MASKED_GROUPS": ["view_masked_data"],
                         "DEFAULT_MASKED_ROLE": "masked_reader",
                     }
                     return settings_map.get(key)
@@ -432,7 +432,7 @@ def test_middleware_handles_user_group_access_error(self, request_factory, mock_
             def mock_setting(key):
                 settings_map = {
                     "ENABLED": True,
-                    "MASKED_GROUP": "view_masked_data",
+                    "MASKED_GROUPS": ["view_masked_data"],
                     "DEFAULT_MASKED_ROLE": "masked_reader",
                 }
                 return settings_map.get(key)