One last requirement is to give names in urls.py files to views and applications.
This is an implicit requirement if is expected to use all django_roles
characteristics. This is necessary because the value used by
django_roles
to identify the views to be protected is it’s name. Equally is
necessary to name the app with app_name
. Examples of this can be found in
Django project tutorial at Namespacing URL names.
As with Django this requirement could be optional; but if it is planned to
create django_roles.models.ViewAccess
object for a view, will be
necessary to have a way to name the view so the object can be associated with
it.
In the same way, if it is planned to classify applications in different types as is explained in Applications type it will be necessary to name the application in urls.py file.
Warning
django_roles
use views names to associate
django_roles.models.ViewAccess
objects to the named view. And
applications names to group all views belonging to that application so is
possible to configure a type for the application and give it’s views a
default security behavior.
When creating a roles.models.ViewAccess
object, the value of view
attribute can be:
As this are the only possible value for view attribute, a requirement of
django_roles
is to use view names and app_name in urls.py files.
Read more about Naming URL in official Django project documentation
Naming URL.
When a user try to access a view and result a forbidden action, is possible to setup different responses to user.
By default django_roles
response with
django.http.HttpResponseForbidden
when the user has no access to the
view. This behavior can be changed if add in settings files a new
attribute DJANGO_ROLES_REDIRECT with a value equal to True:
...
DJANGO_ROLES_REDIRECT = True
...
The answer given to a user without access is a
django.http.HttpResponseRedirect
to the address configured in
settings.LOGIN_URL.
When django_roles
answer with HttpResponseForbidden, the message used by
default is: <h1>403 Forbidden</h1>
; but this configuration can also be
changed if add in settings files a new attribute
DJANGO_ROLES_FORBIDDEN_MESSAGE with the wanted message to be returned
instead of default one.
Mar 15, 2019