Limited access to different roles in Django

Question

I'm building a Django web application in which I have two roles e.g. sys_user and an exhibitor. When a sys_user logins in he has access to all the urls and app modules but an exhibitor will have limited access i.e he will have access to specific urls and app modules. Consider the following:

When a sys_user logs in he should see (the following sidebar) and have access to all the modules like:

--- Module1
--- Module2
--- Module3
--- Module4

When an exhibitor logs he should see (the following sidebar) and have access to only the following modules like:

--- Module1
--- Module2

Now I know that Django provides its own permissions but I don't really know how they fit into my situation or is there any other alternative approach for this. Please point me in the right direction. Thanks

Where should this access be placed on? on Templates level, view? — wolendranh, Oct 27 '15 at 15:16
Any where would work as long as the exhibitor cannot directly access the restricted modules directly from the urls — Sibtain, Oct 27 '15 at 15:20

wolendranh · Accepted Answer · 2015-10-27T15:41:46.910

0

If you want to do this on Template level permissions are stored in {{ perm }} variable.

From Django docs:

{% if perms.foo %}
    <p>You have permission to do something in the foo app.</p>
    {% if perms.foo.can_vote %}
        <p>You can vote!</p>
    {% endif %}
    {% if perms.foo.can_drive %}
        <p>You can drive!</p>
    {% endif %}
{% else %}
    <p>You don't have permission to do anything in the foo app.</p>
{% endif %}

More information could be found here.

Also it is possible to do on url level:

from django.contrib.auth.decorators import login_required
from django.views.generic.simple import direct_to_template
urlpatterns = patterns('',
    (r'^foo/$', login_required(direct_to_template), {'template': 'foo_index.html'}),
    )

In this example login_required decorator is used. But you can create you own decorator, where you will check user in request object and based on it , make decision what to do(redirect, forbidden page etc.)

Here are comprehensive example of decorators usage in Django.

Simple example of custom decorator:

from django.contrib.auth.decorators import login_required, user_passes_test

@login_required
@user_passes_test(lambda u: u.user_name != 'sys_user', login_url='/myapp/denied/')
def some_view(request):

edited Oct 27 '15 at 15:41

answered Oct 27 '15 at 15:21

wolendranh

4,202
1
28
37

What permissions should I add and where (in views.py) for my specific case? – Sibtain Oct 27 '15 at 15:24
@Sibtain You can grant sys_user with admin rights and check in view if request.user.is_superuser and do some stuff specific for admin user. – wolendranh Oct 27 '15 at 15:28
Ok. If I use the template level approach does it also avoid the direct url navigation to restricted urls? – Sibtain Oct 27 '15 at 15:32
@Sibtain - like url's to --- Module1 for example? I think for direct url you will need add also decorator on urls. – wolendranh Oct 27 '15 at 15:35
the login_required decorator or a custom decorator? – Sibtain Oct 27 '15 at 15:37
1

@Sibtain - added custom decorator example for you in my answer. You can use smth like that to protect some url's and make them accessible only for sys_user, for example. – wolendranh Oct 27 '15 at 15:42
I eventually used a combination of both template level access and user_passes_test decorator. Thanks – Sibtain Oct 28 '15 at 08:04

Limited access to different roles in Django

1 Answers1