While the template tag is good to control bits in the UI, you will likely want to make sure POST requests can’t be forged. Just because you don’t show a form in the UI, doesn’t mean there isn’t a url accepting POST requests. This is the reason for the privilege_required decorator.
By putting this decorator on views, it will validate that the user calling the view as the specified privilege, otherwise it will redirect, by default, to the login url:
from privileges.decorators import privilege_required
@privilege_required("widget_management_feature_enabled")
def add_widget(request):
....