Skip to main content

Library to help managing role based access controls for django apps

Project description

PyPI CI Codecov Documentation Supported Python versions License


Library to help manage role based access controls for django services.

  • See the Getting started guide to setup your development environment.

  • See the How To Guide to learn about the fundamentals of edx-rbac and how to implement RBAC in your Django service.


The code in this repository is licensed under the AGPL 3.0 unless otherwise noted.

Please see LICENSE.txt for details.

How To Contribute

Contributions are very welcome.

Please read How To Contribute for details.

PR description template should be automatically applied if you are sending PR from github interface; otherwise you can find it it at

Issue report template should be automatically applied if you are sending it from github UI as well; otherwise you can find it at

Reporting Security Issues

Please do not report security issues in public. Please email

Getting Help

Have a question about this repository, or about Open edX in general? Please refer to this list of resources if you need any assistance.

Change Log



  • Add support for Python 3.11 & 3.12


  • Switch from edx-sphinx-theme to sphinx-book-theme since the former is deprecated

  • Added support for Django 4.2


  • fix: utils.get_role_auth_claim_for_user() now preserves the order of (role, context) pairs as returned by the get_assignment() function.

[1.6.0] - 2022-01-19

  • Drop support for Django<3.2

  • Replacing ugettext with gettext to resolve RemovedInDjango40 error.

  • Added Django40 Support

[1.5.1] - 2021-11-01

  • Replacing ugettext_lazy with gettext_lazy to resolve RemovedInDjango40Warning.

[1.5.0] - 2021-07-07

  • Added support for django 3.0, 3.1, 3.2

[1.4.2] - 2021-03-22

  • Modifies create_role_auth_claim_for_user to return a list of unique (role:context) entries, so that the JWT does not become too large to fit in cookies/headers.

[1.4.1] - 2021-01-22

  • Add a UserRoleAssignment.applies_to_all field, because explicit is better than implicit. See the ADR at docs/decisions/0002-explicit-role-assignment-wildcard.rst.


  • Update PyPI token.

[1.3.3] - 2020-10-02

  • Removed python_2_unicode_compatible decorator.

[1.3.2] - 2020-07-28

  • PermissionRequiredForListingMixin.get_queryset() should allow falsey base_queryset properties, like an empty QuerySet object. Adds tests to verify that this is the case.

[1.3.1] - 2020-06-16

  • Update get_assignments() to guard against AnonymousUsers.

  • Update contexts_accessible_from_database() to use get_assignments() instead of building a “custom” QuerySet.

[1.3.0] - 2020-06-11

  • Adds a PermissionRequiredForListingMixin that can be used in DRF ModelViewSets and supports a list action. This should allow list actions to return all of the elements from a base_queryset that the requesting user has access to, either via their JWT or DB-assigned roles.

  • Adds/modifies utility functions that deal with permission-checking to support multiple roles and multiple contexts.

[1.2.1] - 2020-05-08

  • Exposes a new utils.feature_roles_from_jwt() function, which, given a decoded JWT, will provide a mapping of feature roles to contexts/identifiers.

  • Modifies utils.user_has_access_via_database() to check for multiple database role assignments for a given user and role name (i.e. uses a filter() instead of a get()).

[1.2.0] - 2020-04-30

  • Removed support for django 2.0 and 2.1

  • Added Support for Python 3.8

[1.1.3] - 2020-04-13

  • Added check for AnonymousUser in user_has_access_via_database to prevent 500 errors.

[1.1.2] - 2020-03-27

  • Added support for Django 2.0, 2.1, and 2.2.

[1.1.1] - 2020-03-02

  • Fix bug in implicit role check when the same role has multiple contexts available.

[1.1.0] - 2020-02-18

  • Update PermissionRequiredMixin to pass through an object to rule predicates, if self.get_permision_required exists and is callable

[1.0.5] - 2019-12-18

  • Updated requirements.

[1.0.4] - 2019-12-17

  • Updated utils for user with multiple contexts.

[1.0.3] - 2019-09-12

  • Use functools.wraps to prevent the decorator from swallowing the view name

[1.0.2] - 2019-07-12

  • store current request on thread local storage using crum.

[1.0.1] - 2019-05-27

  • edx-drf-extensions version upgrade.

[1.0.0] - 2019-05-20

  • Removed get_request_or_stub and get_decoded_jwt_from_request from

[0.2.1] - 2019-05-08

  • edx-drf-extensions version upgrade.

[0.2.0] - 2019-04-30

  • Check for JWT presence in implicit permission.

  • Refactor role retrieval to remove the dependency on django models for assigning roles.

[0.1.11] - 2019-04-08

  • Get JWT token from request.auth if it is not set on the cookie. This supports client credentials oauth2 flow.

[0.1.10] - 2019-04-01

  • Update context checks for implicit and explicit access for all resources access.

[0.1.9] - 2019-04-01

  • Adding support for checking context for implicit and explicit access.

[0.1.8] - 2019-03-22

  • Adding an additional argument for the permission_required decorator

[0.1.7] - 2019-03-20

  • Adding a mixin for authz permissions support.

[0.1.6] - 2019-03-19

  • Adding a decorator for authz permissions support.

[0.1.5] - 2019-03-18

  • Adding django admin support for models extending UserRoleAssignment.

[0.1.4] - 2019-03-07

  • Adding a number of utils for roles in JWTs and the database

[0.1.3] - 2019-03-07

  • Adding get_context to the UserRoleAssignment class.

[0.1.2] - 2019-03-06

  • Quality fixes

[0.1.1] - 2019-03-06

  • Bumping version so we get pip updated with new models we added

[0.1.0] - 2019-02-28


  • First release on PyPI.

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

edx-rbac-1.9.0.tar.gz (48.1 kB view hashes)

Uploaded Source

Built Distribution

edx_rbac-1.9.0-py2.py3-none-any.whl (39.0 kB view hashes)

Uploaded Python 2 Python 3

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page