Django Roles Access
Application for securing access to views with roles (Django contrib Groups).
django_roles_access is a Django app for securing access to views. It's built on top of Django contrib Groups interpreted as role. The objective of the app are:
Provide secure access to views.
Be able to administrate access to views without the need to restart the server (at run time).
Minimize the need of new code, or eliminate it at all (when using django_roles_access middleware). Also free developers from the task of coding any view access.
django_roles_access also provides a security report by registering checkviewaccess action.
Django 1.10+ (Python 2.7, Python 3.5+)
Django 2 (Python 3.5+)
Django roles access use Django contrib Groups, Django contrib User. Also Django admin interface is necessary to create and administrate views access (django_roles_access.models.ViewAccess). So Django roles access is dependent of Django admin site and because of this it has the same requirements than it. This can be checked in the official documentation:
Installation and configuration
Install django_roles_access from pypi:
pip install django-roles-access
Add 'django_roles_access' to your INSTALLED_APPS setting:
INSTALLED_APPS = [ ... 'django_roles_access', ]
Run migrations to create the django_roles_access models:
python manage.py migrate
If nothing else is done, then Django site security keeps without modification.
Quick view access configuration in two steps.
In Django admin interface create a django_roles_access.models.ViewAccess object and configure it:
view attribute: name of the view you to be secured. Format used:
<app_name:view_name>( Namespaces and View name).
type attribute: select the access type for the view:
Public: Any visitor can access the view.
Authorized: Only authorized (logged) Django contrib User can access the view.
By roles: Only Django contrib User belonging to any added Django contrib user will access the view.
roles attribute: When By roles is selected as access type, this attribute hold any Django contrib Group whose members will access the view.
In the view to be secured use:
access_by_roles decorator in case of view function (django_roles_access.decorators.access_by_roles)
RolesMixin mixin in case of classes based views (django_roles_access.mixin.RolesMixin)
In case of view is a function:
from django_roles_access.decorators import access_by_role @access_by_role() myview(request): ...
In case of classes based views use mixin:
from django_roles_access.mixin import RolesMixin class MyView(RolesMixin, View): ...
When user has no access to a view, by default django_roles_access response with django.http.HttpResponseForbidden.
Pre existent security behavior can be modified if a django_roles_access configuration for the same view results in a more restricted view access.
Test Django roles access
You can check the django_roles_access test execution at Travis CI integration ()
You can also check dajngo_roles_access test coverage at Coverage ()
Create a virtual environment.
Get into and activate virtual environment.
pip install tox
Run the tests: