I have two sites running off the same base code. Each site has different requirements for which functions different user types can see. For example, one site says anyone can view the News page but on the other only logged in users with a value in the user profile of 'Manager" can see the news.
So the first level of managing these permissions is easy, each site has a different set of templates and in the menu template I show or don't show the menu item depending on the user profile. But how do I prevent a user just typing in the url for the news page?
- I can't remove news from the urls.py because I don't have a request value at the point
- I could write a custom decorator for the view that accesses a model or a settings value to determine if the current user has access
- I could do something in middleware?
- Or there might be a better solution?