Bird
Raised Fist0
Djangoframework~20 mins

Permission required decorator in Django - Practice Problems & Coding Challenges

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Challenge - 5 Problems
🎖️
Permission Decorator Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
component_behavior
intermediate
2:00remaining
What happens when a user without permission accesses a view with @permission_required?
Consider a Django view decorated with @permission_required('app.view_item'). What is the typical behavior if a logged-in user lacks this permission?
Django
from django.contrib.auth.decorators import permission_required
from django.http import HttpResponse

@permission_required('app.view_item')
def my_view(request):
    return HttpResponse('Access granted')
AThe user is redirected to the login page only if not authenticated; otherwise, a 403 error is shown.
BThe user can access the view without any restriction.
CThe user sees a 403 Forbidden error page.
DThe user is redirected to the login page regardless of authentication status.
Attempts:
2 left
💡 Hint
Think about how Django handles permissions differently for authenticated and anonymous users.
📝 Syntax
intermediate
2:00remaining
Identify the correct syntax to require multiple permissions with @permission_required
Which of the following correctly requires both 'app.view_item' and 'app.change_item' permissions on a Django view?
A
@permission_required('app.view_item')
def my_view(request): pass
@permission_required('app.change_item')
B
@permission_required('app.view_item', 'app.change_item')
def my_view(request): pass
C
@permission_required(['app.view_item', 'app.change_item'])
def my_view(request): pass
D
@permission_required('app.view_item')
@permission_required('app.change_item')
def my_view(request): pass
Attempts:
2 left
💡 Hint
Think about stacking decorators to require multiple permissions.
🔧 Debug
advanced
2:00remaining
Why does this @permission_required decorator not work as expected?
This view should require 'app.delete_item' permission, but users without permission can access it. What is the problem?
Django
from django.contrib.auth.decorators import permission_required
from django.http import HttpResponse

@permission_required
def my_view(request):
    return HttpResponse('Deleted')
AThe decorator is missing parentheses after @permission_required.
BThe permission string is incorrect; it should be 'app.delete_items' plural.
CThe view is missing the login_required decorator, so permission is not checked.
DThe view is a function-based view but the decorator only works on class-based views.
Attempts:
2 left
💡 Hint
Check how decorators are applied in Python syntax.
state_output
advanced
2:00remaining
What is the HTTP status code returned when permission is denied by @permission_required?
When a logged-in user lacks the required permission for a view decorated with @permission_required, what HTTP status code does Django return?
A200 OK
B302 Found (redirect to login)
C403 Forbidden
D404 Not Found
Attempts:
2 left
💡 Hint
Think about the meaning of HTTP status codes for permission issues.
🧠 Conceptual
expert
3:00remaining
How to customize the redirect URL for unauthorized users with @permission_required?
By default, @permission_required redirects unauthorized users to the login page. How can you change this redirect URL to a custom page?
AOverride the <code>LOGIN_REDIRECT_URL</code> setting in Django settings.py.
BPass the <code>login_url</code> parameter to the decorator with the custom URL.
CUse a middleware to intercept permission errors and redirect manually.
DModify the view to catch PermissionDenied exceptions and redirect.
Attempts:
2 left
💡 Hint
Check the parameters accepted by the decorator.

Practice

(1/5)
1. What is the main purpose of the @permission_required decorator in Django?
easy
A. To restrict access to a view based on user permissions
B. To automatically log users in
C. To change the URL of a view
D. To cache the output of a view

Solution

  1. Step 1: Understand the decorator's role

    The @permission_required decorator checks if a user has a specific permission before allowing access to a view.

  2. Step 2: Compare options with the decorator's function

    Only To restrict access to a view based on user permissions describes restricting access based on permissions, which matches the decorator's purpose.

  3. Final Answer:

    To restrict access to a view based on user permissions -> Option A

  4. Quick Check:

    Permission check = restrict access [OK]
Hint: Decorator controls access by permissions, not login or caching [OK]
Common Mistakes:
  • Confusing permission check with login functionality
  • Thinking it changes URLs
  • Assuming it caches view output
2. Which of the following is the correct way to use @permission_required to require the permission app.view_item on a Django view function?
easy
A. @permission_required('app.view_item')\ndef my_view(request):\n pass
B. @permission_required(app.view_item)\ndef my_view(request):\n pass
C. @permission_required('app.view_item', login_url='/login')\ndef my_view():\n pass
D. @permission_required('app.view_item', raise_exception=True)\nclass MyView(View):\n pass

Solution

  1. Step 1: Check correct syntax for permission string

    The permission must be a string in quotes, like 'app.view_item'. @permission_required('app.view_item')\ndef my_view(request):\n pass uses this correctly.

  2. Step 2: Confirm usage on a function-based view

    @permission_required('app.view_item')\ndef my_view(request):\n pass decorates a function with the correct signature (request parameter). @permission_required(app.view_item)\ndef my_view(request):\n pass misses quotes, C misses request parameter, D decorates a class incorrectly.

  3. Final Answer:

    @permission_required('app.view_item')\ndef my_view(request):\n pass -> Option A

  4. Quick Check:

    Permission string in quotes + function with request = correct [OK]
Hint: Permission must be a quoted string; function needs request param [OK]
Common Mistakes:
  • Omitting quotes around permission string
  • Using decorator on class without proper mixin
  • Missing request parameter in view function
3. Given this view code, what happens when a user without the app.change_item permission accesses /edit-item/? 
@permission_required('app.change_item', login_url='/login/')
def edit_item(request):
    return HttpResponse('Item edited')
medium
A. User gets a 403 Forbidden error
B. User is redirected to '/login/' page
C. User sees 'Item edited' message
D. User is redirected to homepage

Solution

  1. Step 1: Understand the decorator parameters

    The decorator requires 'app.change_item' permission and sets login_url='/login/' for unauthorized users.

  2. Step 2: Determine behavior for user without permission

    Since raise_exception is not set, the user is redirected to the login URL specified.

  3. Final Answer:

    User is redirected to '/login/' page -> Option B

  4. Quick Check:

    Missing permission + login_url = redirect to login [OK]
Hint: No raise_exception means redirect to login_url [OK]
Common Mistakes:
  • Assuming 403 error without raise_exception=True
  • Thinking user sees success message without permission
  • Confusing redirect URL
4. Identify the error in this code snippet using @permission_required: 
@permission_required('app.delete_item', raise_exception=True)
def delete_item():
    return HttpResponse('Deleted')
medium
A. raise_exception cannot be True
B. Permission string is not quoted
C. Missing request parameter in the view function
D. Decorator must be applied to a class, not a function

Solution

  1. Step 1: Check function signature

    The view function must accept at least one parameter, usually request. Here, it is missing.

  2. Step 2: Validate decorator usage

    The permission string is quoted correctly, and raise_exception=True is valid. The decorator can be used on functions.

  3. Final Answer:

    Missing request parameter in the view function -> Option C

  4. Quick Check:

    View needs request param, else error [OK]
Hint: View functions always need request parameter [OK]
Common Mistakes:
  • Forgetting the request argument in view functions
  • Thinking raise_exception=True is invalid
  • Believing decorator only works on classes
5. You want to protect a Django view so that only users with app.add_item permission can access it. If they lack permission, you want to show a 403 error instead of redirecting. Which is the correct way to do this?
hard
A. @permission_required('app.add_item', raise_exception=False)\ndef add_item(request):\n return HttpResponse('Item added')
B. @permission_required('app.add_item', login_url='/login/')\ndef add_item(request):\n return HttpResponse('Item added')
C. @permission_required('app.add_item')\ndef add_item(request):\n return HttpResponse('Item added')
D. @permission_required('app.add_item', raise_exception=True)\ndef add_item(request):\n return HttpResponse('Item added')

Solution

  1. Step 1: Understand the effect of raise_exception

    Setting raise_exception=True causes Django to return a 403 Forbidden error if the user lacks permission.

  2. Step 2: Check other options for behavior

    Options A, B, and C redirect to login or default behavior (no raise_exception=True); only D raises a 403.

  3. Final Answer:

    @permission_required('app.add_item', raise_exception=True)\ndef add_item(request):\n return HttpResponse('Item added') -> Option D

  4. Quick Check:

    raise_exception=True = 403 error [OK]
Hint: Use raise_exception=True for 403 error on missing permission [OK]
Common Mistakes:
  • Forgetting raise_exception=True to get 403 error
  • Assuming login_url triggers 403 error
  • Using raise_exception=False expecting error