Bird
Raised Fist0
Djangoframework~5 mins

Built-in permission system in Django

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Introduction

Django's built-in permission system helps control who can do what in your web app. It keeps your app safe and organized by managing user rights easily.

You want to let only certain users add or edit content.
You need to restrict access to parts of your website based on user roles.
You want to check if a user can delete or view specific data.
You want to create admin panels with different access levels.
You want to avoid writing custom code for user permissions.
Syntax
Django
from django.contrib.auth.models import Permission

# Check if a user has a permission
user.has_perm('app_label.permission_codename')

# Assign a permission to a user
user.user_permissions.add(permission)

# Remove a permission from a user
user.user_permissions.remove(permission)

Permissions are linked to models and have codenames like 'add_modelname', 'change_modelname', 'delete_modelname'.

Use 'app_label.permission_codename' format to check permissions.

Examples
Checks if the user can add a blog post.
Django
user.has_perm('blog.add_post')
Adds the permission to change posts to the user.
Django
from django.contrib.auth.models import Permission
perm = Permission.objects.get(codename='change_post')
user.user_permissions.add(perm)
Checks if the user can delete other users.
Django
user.has_perm('auth.delete_user')
Sample Program

This example creates a user named 'alice', gives her permission to add blog posts, and then checks if she has that permission.

Django
from django.contrib.auth.models import User, Permission

# Create a user
user = User.objects.create_user('alice', password='password123')

# Get permission to add posts
perm = Permission.objects.get(codename='add_post')

# Assign permission to user
user.user_permissions.add(perm)

# Check permission
can_add = user.has_perm('blog.add_post')

print(f"User can add post: {can_add}")
OutputSuccess
Important Notes

Permissions are automatically created for each model: add, change, delete.

Superusers have all permissions by default.

Use groups to assign permissions to many users easily.

Summary

Django's permission system controls user actions simply.

Use has_perm to check permissions.

Assign permissions directly or via groups.

Practice

(1/5)
1. What is the purpose of Django's built-in permission system?
easy
A. To control what actions users can perform in the application
B. To manage database migrations automatically
C. To style the user interface with CSS
D. To optimize query performance

Solution

  1. Step 1: Understand the role of permissions

    Django's permission system is designed to control user access and actions within the app.

  2. Step 2: Eliminate unrelated options

    Options about migrations, styling, and query optimization are unrelated to permissions.

  3. Final Answer:

    To control what actions users can perform in the application -> Option A

  4. Quick Check:

    Permission system controls user actions = D [OK]
Hint: Permissions control user actions, not database or styling [OK]
Common Mistakes:
  • Confusing permissions with database migrations
  • Thinking permissions handle UI styling
  • Assuming permissions optimize queries
2. Which of the following is the correct way to check if a user has a permission in Django?
easy
A. user.permission('app_label.permission_codename')
B. user.check_permission('app_label.permission_codename')
C. user.has_perm('app_label.permission_codename')
D. user.can('app_label.permission_codename')

Solution

  1. Step 1: Recall Django's permission check method

    The correct method to check permissions is has_perm on the user object.

  2. Step 2: Verify method names

    Other options like check_permission, permission, or can do not exist in Django's user model.

  3. Final Answer:

    user.has_perm('app_label.permission_codename') -> Option C

  4. Quick Check:

    Use has_perm() to check permissions = A [OK]
Hint: Remember: user.has_perm() is the official permission check [OK]
Common Mistakes:
  • Using incorrect method names like check_permission
  • Trying to call permission as a property
  • Assuming 'can' method exists on user
3. Given the following code snippet, what will be the output if the user has the permission 'blog.add_post'? 
if user.has_perm('blog.add_post'):
    print('Permission granted')
else:
    print('Permission denied')
medium
A. Permission granted
B. Error: has_perm method not found
C. Permission denied
D. No output

Solution

  1. Step 1: Understand the has_perm method behavior

    If the user has the permission 'blog.add_post', has_perm returns True.

  2. Step 2: Follow the if-else logic

    Since has_perm returns True, the code prints 'Permission granted'.

  3. Final Answer:

    Permission granted -> Option A

  4. Quick Check:

    has_perm True prints 'Permission granted' = C [OK]
Hint: True from has_perm means permission granted message [OK]
Common Mistakes:
  • Assuming has_perm returns False incorrectly
  • Expecting an error from has_perm method
  • Thinking no output occurs
4. Identify the error in this code snippet that checks user permissions: 
if user.has_perm('blog.add_post'):
print('Allowed')
else:
print('Denied')
medium
A. Incorrect permission codename format
B. Using print instead of return
C. has_perm method does not exist on user
D. Missing indentation inside if and else blocks

Solution

  1. Step 1: Check Python syntax rules for blocks

    Python requires indentation inside if and else blocks to define their scope.

  2. Step 2: Identify the missing indentation

    The print statements are not indented, causing a syntax error.

  3. Final Answer:

    Missing indentation inside if and else blocks -> Option D

  4. Quick Check:

    Python needs indentation in blocks = B [OK]
Hint: Always indent code inside if/else blocks in Python [OK]
Common Mistakes:
  • Ignoring indentation errors
  • Thinking permission codename format is wrong
  • Assuming has_perm method is missing
  • Confusing print with return in this context
5. You want to assign the permission 'polls.change_vote' to a group named 'Editors'. Which is the correct way to do this in Django?
hard
A. group = Group.objects.create(name='Editors') permission = Permission.objects.filter(codename='change_vote') group.add_permission(permission)
B. group = Group.objects.get(name='Editors') permission = Permission.objects.get(codename='change_vote', content_type__app_label='polls') group.permissions.add(permission)
C. group = Group.get(name='Editors') permission = Permission.get(codename='change_vote') group.permissions.append(permission)
D. group = Group.objects.get(name='Editors') permission = Permission.objects.get(name='change_vote') group.permissions.add(permission)

Solution

  1. Step 1: Retrieve the existing group and permission correctly

    Use Group.objects.get(name='Editors') to get the group. Use Permission.objects.get with codename and content_type__app_label to get the exact permission.

  2. Step 2: Add the permission to the group's permissions

    Use group.permissions.add(permission) to assign the permission.

  3. Final Answer:

    group = Group.objects.get(name='Editors') permission = Permission.objects.get(codename='change_vote', content_type__app_label='polls') group.permissions.add(permission) -> Option B

  4. Quick Check:

    Use get() and add() with correct filters = A [OK]
Hint: Use get() with codename and add() to assign permission [OK]
Common Mistakes:
  • Using create() instead of get() for existing group
  • Using filter() without get() for single permission
  • Wrong method names like add_permission or append
  • Using name instead of codename for permission lookup