How to serve files only to a is_staff user?

Question

I would like to know how to serve files only to staff users (that is only when is_staff=True).

Answer 1

If you mean dynamic content generated by Django, read on. Else, for static files, go with the http server config solution described in the other answer.

You can set a fine-grained control at the view level using a decorator:

@user_passes_test(lambda u: u.is_staff)
def my_view(request):
    ...

More info at http://docs.djangoproject.com/en/dev/topics/auth/#django.contrib.auth.decorators.user_passes_test

If you want to make a generalised use of this you may do:

staff_only = user_passes_test(lambda u: u.is_staff)

...and include this in your url configuration:

urlpatterns = patterns('',
    url(r'^url1/$', 
        staff_only(views.my_view1),
        name = 'myapp_myview1'),
    url(r'^url2/$', 
        staff_only(views.my_view2),
        name = 'myapp_myview2'),

...etc.

Answer 2

if you are using apache 2.2 then consider a location like example

<Location /example/>
        AuthType Basic
        AuthName "example.com"
        AuthUserFile /dev/null
        AuthBasicAuthoritative Off
        Require valid-user

        SetEnv DJANGO_SETTINGS_MODULE mysite.settings
        PythonAuthenHandler django.contrib.auth.handlers.modpython
    </Location>

By default, the authentication handler will limit access to the /example/ location to users marked as staff members. You can use a set of PythonOption directives to modify this behavior:

DjangoRequireStaffStatus :If set to on only "staff" users (i.e. those with the is_staff flag set) will be allowed.

DjangoRequireSuperuserStatus: If set to on only superusers (i.e. those with the is_superuser flag set) will be allowed. Defaults to off.

DjangoPermissionName :The name of a permission to require for access. By default no specific permission will be required.