Restrict access of static files to permission groups

i am fairly new to web-development and i can't really find the best way to handle serving files with django.

My situation is: I have users from different departments that can upload, edit and download files. Users should have access to files from other users of the same department, but not of the others. The way it works until now is: each filepath is written in a database, with a reference to which department it belongs. If requesting a file django checks if the department of the user is the same as the file, and denies the access if that not the case. So it's impelemented using a normal view that returns a StreamingHttpResponse

After researching a bit it seemed that serving files that way isnt the standard way, and i should serve them as static files (from the webserver, not directly by django). My question is: can i still restrict the access of static files, or can anyone read them?

Back to Top