A Django package for managing URL-based permissions through user groups with HTTP method support
Project description
Django URL Permissions
A Django package that provides a flexible and efficient way to manage URL-based permissions through Django's user groups. This package allows you to control access to specific URLs based on user group membership and HTTP methods.
Features
- 🔒 Control access to URLs based on user groups
- 🌐 Support for all HTTP methods (GET, POST, PUT, PATCH, DELETE, etc.)
- ⚡ Option to grant all-method access with a single permission
- 🔌 Easy integration through middleware
- ⚙️ Configurable exempt URLs
- 🐍 Support for Django 3.2+ and Python 3.7+
- 👨💼 Built-in admin interface integration
- 🚀 Efficient database querying with proper indexing
Installation
Install the package using pip:
pip install django-url-group-permissions
Quick Start
- Add 'django_url_group_permissions' to your INSTALLED_APPS:
INSTALLED_APPS = [
...
'django_url_group_permissions',
]
- Add the middleware to your settings:
MIDDLEWARE = [
...
'django_url_group_permissions.middleware.UrlPermissionMiddleware',
]
- Configure optional settings:
# URLs that don't require permission checks
URL_PERMISSION_EXEMPT_URLS = [
'/admin/',
'/login/',
'/static/',
'/media/',
]
# Default behavior (if not set)
URL_PERMISSION_REQUIRED = True # All URLs require permissions
# To disable permission checking
URL_PERMISSION_REQUIRED = False # No URLs require permissions
# Default behavior (if not set)
URL_PERMISSION_CHECK_ALL_VIEWS = False # Only check views with @requires_url_permission decorator
# To check all views
URL_PERMISSION_CHECK_ALL_VIEWS = True # Check permissions for all views
- Run migrations:
python manage.py migrate
Usage
There are two ways to implement URL permissions in your project:
-
Global Permission Check (Recommended for new projects)
Set in your settings.py:
URL_PERMISSION_CHECK_ALL_VIEWS = True
This will enforce URL permissions on all views automatically (except exempt URLs).
-
Decorator Approach (For selective permission checking)
If
URL_PERMISSION_CHECK_ALL_VIEWS = False, you can use the decorator to specify which views require URL permissions:from django_url_group_permissions import url_permission_required from django.contrib.auth.decorators import login_required from django.shortcuts import render @url_permission_required @login_required def my_view(request): return render(request, 'my_template.html')
Note: The order of decorators matters. @url_permission_required should be placed before @login_required to ensure the user is authenticated before checking URL permissions.
In both cases, you'll need to configure the permissions for each group through the Django admin interface.
Managing URL Permissions
URL permissions are managed through the Django admin interface, similar to model permissions:
- Go to Django admin (
/admin/) - Navigate to "Groups"
- Create or edit a group
- In the group edit page, you'll find a "URL Permissions" section below the standard model permissions
- Use the interface to:
- View available URL permissions
- Add/remove URL permissions for different HTTP methods
- Filter URLs using the search box
- Choose multiple permissions at once
Users will only be able to access URLs that their groups have been granted permission to access.
Supported HTTP Methods
- GET
- POST
- PUT
- PATCH
- DELETE
- HEAD
- OPTIONS
- ALL (special permission that grants access to all methods)
Configuration Options
| Setting | Type | Default | Description |
|---|---|---|---|
| URL_PERMISSION_REQUIRED | bool | True | Global switch to enable/disable permission checks. When False, the middleware won't check any permissions, useful for development or troubleshooting. |
| URL_PERMISSION_EXEMPT_URLS | list | [] | List of URL prefixes that bypass permission checks. Example: ['/public/', '/api/docs/']. URLs starting with these prefixes will be accessible without checking permissions. |
| URL_PERMISSION_CHECK_ALL_VIEWS | bool | False | Controls permission checking strategy. When False (default), only views decorated with @url_permission_required need permissions. When True, all views require permissions unless explicitly exempted with @exempt_url_permission. |
Model Fields
| Field | Type | Description |
|---|---|---|
| group | ForeignKey | The Django group this permission applies to |
| url | CharField | The URL pattern this permission controls |
| http_method | CharField | The HTTP method or 'ALL' |
| is_active | BooleanField | Whether this permission is currently active |
| description | TextField | Optional description of the permission |
| created_at | DateTimeField | When the permission was created |
| updated_at | DateTimeField | When the permission was last updated |
Contributing
Contributions are welcome! Here's how you can help:
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add some amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
License
This project is licensed under the MIT License - see the LICENSE file for details.
Support
If you encounter any problems or have questions, please:
- Check the GitHub Issues for existing problems or solutions
- Create a new issue if your problem is not yet reported
Changelog
1.0.1 (Initial Release)
- Basic URL permission functionality
- Group-based permission management
- HTTP method support
- Middleware implementation
- Admin interface integration
1.0.2 (2025-02-08)
- Added support multiple languages in URLs
Authors
- Josep Marxuach - Initial work - jmarxuach
Acknowledgments
- Thanks to the Django community for the amazing framework
- Inspired by the need for flexible URL-based permissions in Django applications
Settings
URL_PERMISSION_REQUIRED: Enable/disable URL permission checking globally (default: True)URL_PERMISSION_EXEMPT_URLS: List of URL prefixes to exclude from permission checking (default: [])URL_PERMISSION_CHECK_ALL_VIEWS: If True, all views require URL permissions unless exempt. If False, only views with @url_permission_required decorator are checked (default: False)
Example:
# settings.py
# Check permissions for all views
URL_PERMISSION_CHECK_ALL_VIEWS = True
# Exempt certain URLs from permission checking
URL_PERMISSION_EXEMPT_URLS = [
'/admin/',
'/login/',
'/public/',
]
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file django_url_group_permissions-1.0.2.tar.gz.
File metadata
- Download URL: django_url_group_permissions-1.0.2.tar.gz
- Upload date:
- Size: 14.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.9.21
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
cdcb923907a8dc75aad7127af6f4366ffe00b4523c69c8846603089bcd466fc2
|
|
| MD5 |
522663376246c1cced6e041b03a6264d
|
|
| BLAKE2b-256 |
1159189fdb8e5095e4144f85e103cdf380624032f418b1b69146112a351608e6
|
File details
Details for the file django_url_group_permissions-1.0.2-py3-none-any.whl.
File metadata
- Download URL: django_url_group_permissions-1.0.2-py3-none-any.whl
- Upload date:
- Size: 17.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.9.21
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
b24194114e8b5167f54ddb060b27c2a4e629bb357995298ae046eac26beeb72a
|
|
| MD5 |
f788d3acde1c71cee4d51ba5c63310aa
|
|
| BLAKE2b-256 |
5245d62f0da9d635da10d48c5feb11cd4135dc7731bd47c44dea0117f2c50abc
|
