Django

What is the correct way to control access to functionality in Django?

I am writing a project in which a registered user has 2 roles (client and executor). Each role has its own tasks, so many sections and links may differ.
Partially, I already understood where I can create conditions directly in the template (for example, user.is_authenticated), or check the role in the view and, based on this, issue the appropriate template (so as not to fence anything in it). On the guest I use a decorator.
With the complication of the system, I understand that it will not be enough just to substitute the desired template or hide the link, you need to control everything on the backend (for example, do not allow the CONTRACTOR to view the CREATE ORDER page, because this is not his role.
Question: how best to do this, what is the best practice used in this case?