Management of user and relationship of users with different components

I've been working on some issues and postponing part of the access management because we don't have the User role yet.

There are a few references to users in different issues:

• #66 (closed): "owned by the user who submitted the work request"
• #65 (closed): "Permission denied if the user is not allowed to view the artifact"
• #62 (closed): "user authenticated with a cookie"

The only description regarding users that I can find is in https://freexian-team.pages.debian.net/debusine/design/concepts.html#workspaces

Would something like this work for you or did you think of something different?:

• Use Django user's. Add a debusine-admin command to create and disable users now (later can be done via Web if need to be).
• Add four Many-to-Many from Workspace model to User: read_only_users, upload_only_users, read_write_users, admin_users
• Add a debusine-admin command to add users into Workspaces (with the correct group)
• Not use Django's Permissions framework and implement the checks in the views (fail early and give good error messages)
• Add a ForeignKey from Token model to User (Token.user), and a ForeignKey from Artifact to User (Artifact.owner): when debusine-client create an artifact we can check the permission of this user in the relevant Workspace. Also, the Artifact.owner can be set
• Should we record the WorkRequest ID in the Artifact.data field? Or add an Artifact.work_request Foreign Key?

It should not take too long to implement but I prefer to double-check the approach beforehand.

This will unlock the browsing of artifacts for a user using the Django's session as mentioned in #62 (closed), also the "return 403 if user cannot see the artifact" mentioned in #65 (closed) and #66 (closed) which states "All those artifacts should be owned by the user who submitted the work request."

If I've missed an issue (or documentation) with this let me know, please.