Introduction

django_roles_access is a Django app for securing access to views. It’s built on top of django.contrib.auth.models.Group interpreted as role.

The objective of the app is to provide secure access to views without requiring new code. Security can be managed at runtime. The app also provides a security report by registering checkviewaccess action.

Main features

  • Once configured, all administration for secure access is done from admin site at runtime.

  • Not extra code required:

    • When using django_roles_access middleware no more code is required.
    • In case of using decorator or mixin of django_roles_access all that is needed is to decorate the view function or to prepend the mixin in class based view definition.

  • Access to views can be controlled with two elements:

    1. View access object: An object created and configured in admin site.
    2. Application classifications in project settings file.

  • If django_roles_access is installed but nothing else is done (only add django_roles_access to settings.INSTALLED_APPS) there will be no change in the behavior of the views.

  • django_roles_access register an action called checkviewaccess that will report Django sites views access security when using django_roles_access tools. To use it just:

    django_roles_access registers an action called checkviewaccess that will report the security to access the views that uses the tools provided by django_roles_access

python manage.py checkviewaccess

Requirements

django_roles_access uses django.contrib.auth.models.Group, django.contrib.auth.models.User. Also Django admin interface is necessary to create and administrate views access (django_roles_access.models.ViewAccess). So Django roles access is dependent of Django admin site and because of this it have the same requirements than it. This can be checked in the official documentation: Django admin site.

Last requirement is to give names to views and applications. Read more about this in Required views and app name.

Quick start

Installation and configuration

  1. Install django_roles_access from pypi:
pip install django-roles-access
  1. Add ‘django_roles_access’ to your INSTALLED_APPS setting:
INSTALLED_APPS = [
    ...
    'django_roles_access',
]

3. Run migrations to create the django_roles_access models:

python manage.py migrate

Note

If nothing else is done, then Django site security keeps without modification.

Access configuration

Configuration in two steps.

Step 1

In Django admin interface create a django_roles_access.models.ViewAccess object and configure it:

  1. view attribute: Name of the view you want to secure. More about this in Namespaces and View Name.
  2. type attribute: select the access type for the view:
  3. roles attribute: When By roles is selected as access type, this attribute hold any django.contrib.auth.models.Group whose members will access the view.

Step 2

Use django_roles_access.decorators.access_by_role() decorator or django_roles_access.mixin.RolesMixin mixin in the view to be secured.

For example:

In case the view is a function:

from django_roles_access.decorators import access_by_role

@access_by_role()
def myview(request):
    ...

In case of classes based views use mixin:

from django_roles_access.mixin import RolesMixin

class MyView(RolesMixin, View):

    ...

Note

When user has no access to a view, by default django_roles_access will response with django.http.HttpResponseForbidden.

Note

Pre existent security behavior will be modified if a django_role_access configuration for the same view results in a more restrictive access; for example forbidden access.

« previous | up | next »