Application for securing access to views with roles (Django contrib Groups).
django_roles_access is a Django app for securing access to views. It's built on top of Django contrib Groups interpreted as role. The objective of the app are:
-
Provide secure access to views.
-
Be able to administrate access to views without the need to restart the server (at run time).
-
Minimize the need of new code, or eliminate it at all (when using django_roles_access middleware). Also free developers from the task of coding any view access.
-
django_roles_access also provides a security report by registering checkviewaccess action.
Works with:
-
Django 1.10+ (Python 2.7, Python 3.5+)
-
Django 2 (Python 3.5+)
Django roles access use Django contrib Groups, Django contrib User. Also Django admin interface is necessary to create and administrate views access (django_roles_access.models.ViewAccess). So Django roles access is dependent of Django admin site and because of this it has the same requirements than it. This can be checked in the official documentation:
-
Install django_roles_access from pypi:
pip install django-roles-access
-
Add 'django_roles_access' to your INSTALLED_APPS setting:
INSTALLED_APPS = [ ... 'django_roles_access', ]
-
Run migrations to create the django_roles_access models:
python manage.py migrate
Note:
If nothing else is done, then Django site security keeps without modification.
Quick view access configuration in two steps.
In Django admin interface create a django_roles_access.models.ViewAccess object and configure it:
-
view attribute: name of the view you to be secured. Format used:
<app_name:view_name>( Namespaces and View name). -
type attribute: select the access type for the view:
-
Public: Any visitor can access the view.
-
Authorized: Only authorized (logged) Django contrib User can access the view.
-
By roles: Only Django contrib User belonging to any added Django contrib user will access the view.
-
-
roles attribute: When By roles is selected as access type, this attribute hold any Django contrib Group whose members will access the view.
In the view to be secured use:
-
access_by_roles decorator in case of view function (django_roles_access.decorators.access_by_roles)
-
RolesMixin mixin in case of classes based views (django_roles_access.mixin.RolesMixin)
For example:
In case of view is a function:
from django_roles_access.decorators import access_by_role
@access_by_role()
myview(request):
...
In case of classes based views use mixin:
from django_roles_access.mixin import RolesMixin
class MyView(RolesMixin, View):
...
Note:
When user has no access to a view, by default django_roles_access response with django.http.HttpResponseForbidden.
Warning:
Pre existent security behavior can be modified if a django_roles_access configuration for the same view results in a more restricted view access.
You can check the django_roles_access test execution at
Travis CI integration
(
You can also check dajngo_roles_access test coverage at
Coverage
(
Or:
-
Create a virtual environment.
-
Get into and activate virtual environment.
-
Clone django_roles_access:
-
Install tox:
pip install tox
-
Run the tests:
tox