Aller au contenu

Auth and permissions

Status: Placeholder — to be developed. Last reviewed:

Scope

Authentication and authorisation conventions: the custom email-based User, login flow, password reset, session vs token (none currently), permission decorators / mixins (LoginRequiredMixin, PermissionRequiredMixin, custom practice-access mixin), where to declare per-view access (decorator vs mixin vs dispatch check), how API endpoints in apps/websites/ authenticate (separate from the admin / user flow).

This complements multi-tenant-isolation.md — that file covers which rows a user can see; this file covers which views they can reach.

Sources to mine when writing this

  • apps/accounts/ — custom User, login views, permission mixins.
  • config/urls.pylogin_required decorators and access patterns.
  • Existing views — enumerate the permission patterns in use, converge on one.
  • apps/websites/ — the API authentication story (likely a different mechanism).