[Django] #36084: Add a `role_required` decorator to Django's authentication system for role-based access control.
8 views
Skip to first unread message
Django
Jan 11, 2025, 5:21:14 AM1/11/25
to django-...@googlegroups.com
#36084: Add a `role_required` decorator to Django's authentication system for role-
based access control.
-------------------------------------+-------------------------------------
Reporter: H_coder | Type: New
| feature
Status: new | Component:
| contrib.auth
Version: 5.1 | Severity: Normal
Keywords: auth, decorator, | Triage Stage:
feature | Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
== ''role_required'' decorator:
Currently, Django provides decorators like **@login_required** and
**@permission_required** to restrict view access. However, there is no
built-in support for role-based access control, which is a common
requirement for many applications.
This ticket proposes adding a new `role_required` decorator that allows
developers to restrict access to views based on user roles. The decorator
will:
- Check if the user has one or more specified roles.
- Support both "any role" (`test_all=False`) and "all roles"
(`test_all=True`) modes.
- Redirect unauthorized users to the login page or a custom URL.
This feature will make it easier for developers to implement role-based
access control without writing custom decorators.
== Example Use Case
A marketplace application might have roles like `is_seller`, `is_buyer`,
and `is_admin`. The `role_required` decorator can be used to restrict
access to specific views:
{{{
from django.contrib.auth.decorators import role_required
@role_required(['is_seller'])
def seller_dashboard(request):
# Only users with the 'is_seller' role can access this view.
pass
@role_required(['is_admin', 'is_moderator'], test_all=True)
def admin_dashboard(request):
# Only users with both 'is_admin' and 'is_moderator' roles can access
this view.
pass
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/36084>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
based access control.
-------------------------------------+-------------------------------------
Reporter: H_coder | Type: New
| feature
Status: new | Component:
| contrib.auth
Version: 5.1 | Severity: Normal
Keywords: auth, decorator, | Triage Stage:
feature | Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
== ''role_required'' decorator:
Currently, Django provides decorators like **@login_required** and
**@permission_required** to restrict view access. However, there is no
built-in support for role-based access control, which is a common
requirement for many applications.
This ticket proposes adding a new `role_required` decorator that allows
developers to restrict access to views based on user roles. The decorator
will:
- Check if the user has one or more specified roles.
- Support both "any role" (`test_all=False`) and "all roles"
(`test_all=True`) modes.
- Redirect unauthorized users to the login page or a custom URL.
This feature will make it easier for developers to implement role-based
access control without writing custom decorators.
== Example Use Case
A marketplace application might have roles like `is_seller`, `is_buyer`,
and `is_admin`. The `role_required` decorator can be used to restrict
access to specific views:
{{{
from django.contrib.auth.decorators import role_required
@role_required(['is_seller'])
def seller_dashboard(request):
# Only users with the 'is_seller' role can access this view.
pass
@role_required(['is_admin', 'is_moderator'], test_all=True)
def admin_dashboard(request):
# Only users with both 'is_admin' and 'is_moderator' roles can access
this view.
pass
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/36084>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Jan 11, 2025, 9:29:39 AM1/11/25
to django-...@googlegroups.com
#36084: Add a `role_required` decorator to Django's authentication system for role-
based access control.
-------------------------------------+-------------------------------------
Reporter: H_coder | Owner: (none)
based access control.
-------------------------------------+-------------------------------------
Type: New feature | Status: closed
Component: contrib.auth | Version: 5.1
Severity: Normal | Resolution: wontfix
Keywords: auth, decorator, | Triage Stage:
feature | Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Mariusz Felisiak):
feature | Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* cc: H_coder (removed)
* cc: Mariusz Felisiak (added)
* resolution: => wontfix
* status: new => closed
Comment:
Thanks for this ticket, however, the current thread is to keep Django a
core framework, not providing every utility which might be useful. You can
handle "roles" as permissions assigned to users. As far as I'm aware there
is no need for a separate mechanism.
If you don't agree, please first start a discussion on the
DevelopersMailingList, where you'll reach a wider audience and see what
other think, and
[https://docs.djangoproject.com/en/stable/internals/contributing/bugs-and-
features/#requesting-features follow the guidelines with regards to
requesting features].
--
Ticket URL: <https://code.djangoproject.com/ticket/36084#comment:1>
Reply all
Reply to author
Forward
0 new messages