Bird
Raised Fist0
Djangoframework~5 mins

Custom permissions in Django - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is a custom permission in Django REST Framework?
A custom permission is a way to define your own rules to control who can access or modify API views beyond the built-in permissions.
Click to reveal answer
beginner
Which method must be implemented when creating a custom permission class in Django REST Framework?
You must implement the has_permission(self, request, view) method to check if the request should be allowed.
Click to reveal answer
beginner
How do you apply a custom permission to a Django REST Framework view?
You add the custom permission class to the view's <code>permission_classes</code> list, for example: <code>permission_classes = [MyCustomPermission]</code>.
Click to reveal answer
intermediate
What is the difference between has_permission and has_object_permission in custom permissions?
has_permission checks general access before the view runs, while has_object_permission checks access for a specific object instance.
Click to reveal answer
intermediate
Why use custom permissions instead of just checking user roles inside views?
Custom permissions keep access logic separate and reusable, making code cleaner and easier to maintain.
Click to reveal answer
Which base class should you extend to create a custom permission in Django REST Framework?
Arest_framework.views.APIView
Bdjango.views.View
Crest_framework.permissions.BasePermission
Ddjango.contrib.auth.models.Permission
What does the has_permission method receive as arguments?
Arequest and object
Brequest and view
Cview and object
Drequest only
If you want to check permissions on a specific object, which method should you override?
Ahas_object_permission
Bhas_permission
Ccheck_permission
Dget_permission
How do you apply multiple permissions to a view?
AList all permission classes in <code>permission_classes</code> list
BUse only the first permission class
CAdd permissions in the URL config
DSet permissions in the model
What happens if a custom permission's has_permission returns False?
AThe request proceeds normally
BAn error is raised
CThe user is redirected to login
DAccess is denied and a 403 Forbidden response is returned
Explain how to create and use a custom permission in Django REST Framework.
Think about the class you extend and the methods you override.
You got /4 concepts.
    Why is it beneficial to separate permission logic into custom permission classes instead of checking permissions inside views?
    Consider how separation of concerns helps in programming.
    You got /4 concepts.

      Practice

      (1/5)
      1. What is the main purpose of creating a custom permission in Django?
      easy
      A. To control user access based on specific rules you define
      B. To change the database schema automatically
      C. To speed up the Django server response time
      D. To create new database tables for users

      Solution

      1. Step 1: Understand what permissions do in Django

        Permissions control what users can or cannot do in the app.

      2. Step 2: Identify the role of custom permissions

        Custom permissions let you define your own rules for user access beyond default ones.

      3. Final Answer:

        To control user access based on specific rules you define -> Option A

      4. Quick Check:

        Custom permissions = control user access [OK]
      Hint: Custom permissions control access rules you create [OK]
      Common Mistakes:
      • Thinking permissions change database structure
      • Confusing permissions with performance settings
      • Believing permissions create new tables
      2. Which method must you override when creating a custom permission class in Django REST Framework?
      easy
      A. save
      B. get_queryset
      C. has_permission
      D. dispatch

      Solution

      1. Step 1: Recall the BasePermission class methods

        The main method to check access is has_permission.

      2. Step 2: Confirm which method controls permission checks

        has_permission returns True or False to allow or deny access.

      3. Final Answer:

        has_permission -> Option C

      4. Quick Check:

        Permission check method = has_permission [OK]
      Hint: Override has_permission to define access rules [OK]
      Common Mistakes:
      • Using get_queryset which filters data, not permissions
      • Confusing save method with permission checks
      • Using dispatch which is for request handling
      3. Given this custom permission class, what will be the result if a user is not authenticated? 
      from rest_framework.permissions import BasePermission

class IsAuthenticatedCustom(BasePermission):
    def has_permission(self, request, view):
        return request.user and request.user.is_authenticated
      medium
      A. Code raises an error due to missing return
      B. Access is denied because user is not authenticated
      C. Access is granted regardless of authentication
      D. Access is granted only if user is staff

      Solution

      1. Step 1: Analyze the has_permission method logic

        It returns True only if request.user exists and is authenticated.

      2. Step 2: Consider the case when user is not authenticated

        Then request.user.is_authenticated is False, so method returns False denying access.

      3. Final Answer:

        Access is denied because user is not authenticated -> Option B

      4. Quick Check:

        Unauthenticated user = access denied [OK]
      Hint: Check if user.is_authenticated is True to allow access [OK]
      Common Mistakes:
      • Assuming access is granted without authentication
      • Thinking code raises error due to return statement
      • Confusing staff status with authentication
      4. Identify the error in this custom permission class: 
      from rest_framework.permissions import BasePermission

class IsOwnerPermission(BasePermission):
    def has_permission(self, request, view):
        return request.user == view.get_object().owner
      medium
      A. Missing import for request module
      B. No return statement in has_permission
      C. Incorrect comparison operator used
      D. Using has_permission instead of has_object_permission for object check

      Solution

      1. Step 1: Understand permission methods roles

        has_permission checks general access; has_object_permission checks per object.

      2. Step 2: Identify misuse of has_permission for object ownership

        Comparing user to object owner requires has_object_permission, not has_permission.

      3. Final Answer:

        Using has_permission instead of has_object_permission for object check -> Option D

      4. Quick Check:

        Object checks need has_object_permission [OK]
      Hint: Use has_object_permission for per-object access checks [OK]
      Common Mistakes:
      • Confusing has_permission with has_object_permission
      • Assuming import errors cause this issue
      • Thinking comparison operator is wrong
      5. You want to create a custom permission that allows access only if the user is authenticated and the HTTP method is safe (GET, HEAD, OPTIONS). Which is the correct implementation?
      hard
      A. class SafeAndAuthenticated(BasePermission): def has_permission(self, request, view): return request.user.is_authenticated and request.method in ['GET', 'HEAD', 'OPTIONS']
      B. class SafeAndAuthenticated(BasePermission): def has_permission(self, request, view): return request.user.is_authenticated or request.method in ['GET', 'HEAD', 'OPTIONS']
      C. class SafeAndAuthenticated(BasePermission): def has_permission(self, request, view): return not request.user.is_authenticated and request.method in ['GET', 'HEAD', 'OPTIONS']
      D. class SafeAndAuthenticated(BasePermission): def has_permission(self, request, view): return request.user.is_authenticated and request.method not in ['GET', 'HEAD', 'OPTIONS']

      Solution

      1. Step 1: Understand the requirement

        User must be authenticated AND method must be safe (GET, HEAD, OPTIONS).

      2. Step 2: Analyze each option's logic

        class SafeAndAuthenticated(BasePermission): def has_permission(self, request, view): return request.user.is_authenticated and request.method in ['GET', 'HEAD', 'OPTIONS'] uses AND with correct method list; others use OR, NOT, or wrong method checks.

      3. Final Answer:

        class SafeAndAuthenticated(BasePermission): def has_permission(self, request, view): return request.user.is_authenticated and request.method in ['GET', 'HEAD', 'OPTIONS'] -> Option A

      4. Quick Check:

        Use AND for combined conditions [OK]
      Hint: Use AND to combine authentication and method checks [OK]
      Common Mistakes:
      • Using OR instead of AND allowing wrong access
      • Checking for methods incorrectly with NOT
      • Allowing unauthenticated users by mistake