A production-ready backend system for managing financial records and analytics, designed with a modular architecture and scalable service-layer pattern.
Built using Django REST Framework, it implements role-based access control (RBAC) and a service-layer architecture to ensure scalability, maintainability, and clear separation of concerns.
β οΈ This API is hosted on a free tier and may take ~30β60 seconds to respond on the first request (cold start).
- π₯ Interactive API Docs (Swagger): https://rbac-finance-api.onrender.com/api/docs/
- π Base URL: https://rbac-finance-api.onrender.com/
core/
β constants.py # Role definitions and shared enums
β permissions.py # Reusable role-based access control (RBAC)
β pagination.py # Global pagination configuration
users/
β models.py # Custom user model with role support
β views.py # Authentication & admin-only user management
β serializers.py # User-related serializers
records/
β models.py # Financial transaction model
β views.py # CRUD APIs for records
β serializers.py # Record serializers
β services.py # Business logic layer (create, update, filters)
β filters.py # Query filtering utilities (if applicable)
dashboard/
β views.py # Analytics endpoints (summary, trends, totals)
β serializers.py # Input/output validation
β services.py # Aggregation logic using ORM
finance_backend/
β settings.py # Django configuration
β urls.py # Root URL routing
β asgi.py # ASGI entry point
β wsgi.py # WSGI entry point
Centralized utilities such as permissions, constants, and shared configurations.
Handles authentication, role assignment, and admin-controlled user operations.
Manages financial transactions with a clean separation of concerns using a service layer.
Provides analytical insights using optimized ORM queries and aggregations.
Contains global settings and application entry points.
- Separation of Concerns β Views, Services, and Models are decoupled
- Role-Based Access Control (RBAC) β Centralized permission system
- Service Layer Pattern β Business logic isolated from views
- Modular Architecture β Easy to extend and maintain
python -m pip install -r requirements.txtpython manage.py migratepython manage.py createsuperuserpython manage.py runserverAPI docs are available at http://127.0.0.1:8000/api/docs/.
This project uses JWT-based authentication.
Include the access token in request headers:
Authorization: Bearer <access_token>
POST /api/auth/login/
{ "email": "admin@example.com", "password": "password123" }Response:
{
"access": "...",
"refresh": "..."
}GET /api/auth/me/
Roles live in core/constants.py:
- Viewer (
viewer)- Can GET records
- Cannot create/update/delete records
- No dashboard access
- Analyst (
analyst)- Can GET records (scoped to their own records)
- Can access dashboard endpoints
- Cannot create/update/delete records
- Admin (
admin)- Full records CRUD
- Full dashboard access
- Admin-only user management APIs
Permissions are enforced by core/permissions.py via RolePermission + per-view role_policy.
GET /api/records/(list; supports filtering & pagination)POST /api/records/(admin only)GET /api/records/{id}/PUT/PATCH /api/records/{id}/(admin only)DELETE /api/records/{id}/(admin only; soft delete)
type=income|expensecategory=<string>date_from=YYYY-MM-DDdate_to=YYYY-MM-DD
Example:
GET /api/records/?type=expense&category=food&date_from=2026-01-01&date_to=2026-03-31
GET /api/dashboard/summary/- total income, total expense, net balance
GET /api/dashboard/category-totals/?type=income|expense(type optional)- category-wise totals (ORM aggregation)
GET /api/dashboard/recent-transactions/?limit=10- recent transactions
GET /api/dashboard/monthly-trends/- monthly totals grouped by month and type
- Soft delete is implemented via
records.Record.is_deleted; list endpoints use.alive(). - Record read access is scoped:
- Admin: sees all records
- Non-admin: sees only records they created
- SQLite is used for simplicity; models are indexed for common queries.
Avikal Singh
Backend Developer (Django | DRF)
- GitHub: avikal07
- LinkedIn: Avikal Singh