Middleware¶
SubscriptionAccessMiddleware¶
Protects specific URL paths, requiring the authenticated user to have an active subscription. Staff users bypass the check.
Setup¶
Add to your MIDDLEWARE setting:
MIDDLEWARE = [
"django.middleware.security.SecurityMiddleware",
"django.contrib.sessions.middleware.SessionMiddleware",
"django.middleware.common.CommonMiddleware",
"django.middleware.csrf.CsrfViewMiddleware",
"django.contrib.auth.middleware.AuthenticationMiddleware",
"django.contrib.messages.middleware.MessageMiddleware",
"django.middleware.clickjacking.XFrameOptionsMiddleware",
# Add after AuthenticationMiddleware
"subscriptions.middleware.SubscriptionAccessMiddleware",
]
Configuration¶
SUBSCRIPTION_SETTINGS = {
"PROTECTED_PATHS": [
"/api/premium/",
"/dashboard/pro/",
],
"SUBSCRIPTION_REQUIRED_REDIRECT": "/pricing/",
}
How It Works¶
On every request, checks if the path starts with any entry in
PROTECTED_PATHSIf protected and user is unauthenticated → returns 403/redirect
If protected and user is authenticated but has no active subscription → returns 403/redirect
Staff users (
is_staff=True) always have accessUsers with
activeortrialingsubscriptions have access
Response Behavior¶
Request Type |
No Auth |
No Subscription |
|---|---|---|
API ( |
JSON 403: |
JSON 403: |
HTML (browser) |
Redirect to |
Redirect to |
API requests are detected by:
Content-Type: application/jsonPath starts with
/api/Acceptheader starts withapplication/json
Example¶
SUBSCRIPTION_SETTINGS = {
"PROTECTED_PATHS": ["/api/v2/", "/app/dashboard/"],
"SUBSCRIPTION_REQUIRED_REDIRECT": "/subscribe/",
}
GET /api/v2/data/→ requires subscription (JSON 403 if missing)GET /app/dashboard/→ requires subscription (redirect to/subscribe/if missing)GET /api/v1/public/→ not protectedGET /admin/→ not protected (and staff bypass anyway)