Bird
Raised Fist0
Djangoframework~30 mins

Permission required decorator in Django - Mini Project: Build & Apply

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Permission Required Decorator in Django
📖 Scenario: You are building a Django web app where some pages should only be accessible to users with specific permissions. You want to create a decorator that checks if a user has the required permission before allowing access to a view.
🎯 Goal: Build a Django view decorator called permission_required that takes a permission name as an argument and only allows users with that permission to access the view. If the user lacks permission, they should be redirected to a login page.
📋 What You'll Learn
Create a Django view function called my_view.
Create a decorator function called permission_required that accepts a permission string.
Inside the decorator, check if the user has the required permission using user.has_perm(permission).
If the user does not have permission, redirect them to the login page using redirect('login').
Apply the permission_required decorator to my_view with the permission 'app.view_secret'.
💡 Why This Matters
🌍 Real World
Web apps often need to restrict access to certain pages based on user permissions. This decorator helps enforce those rules cleanly.
💼 Career
Understanding decorators and permission checks is essential for backend web developers working with Django or similar frameworks.
Progress0 / 4 steps
1
Create a simple Django view function
Create a Django view function called my_view that takes a request argument and returns a simple HttpResponse with the text "Secret page content".
Django
Hint

Use def my_view(request): to define the function and return HttpResponse("Secret page content").

2
Create the permission_required decorator function
Create a decorator function called permission_required that accepts a permission string argument. Inside, define an inner function decorator that takes a view_func argument and returns a wrapper function. The wrapper should accept request and *args, **kwargs.
Django
Hint

Define permission_required that returns decorator. Inside decorator, define wrapper that takes request, *args, **kwargs.

3
Add permission check and redirect logic inside the wrapper
Import redirect from django.shortcuts at the top of the file. Inside the wrapper function, check if request.user.has_perm(permission) is False. If so, return redirect('login'). Otherwise, return the original view function call with view_func(request, *args, **kwargs).
Django
Hint

Use if not request.user.has_perm(permission): to check permission and return redirect('login') if missing.

4
Apply the permission_required decorator to the view
Apply the permission_required decorator to the my_view function with the permission string 'app.view_secret'. Use the decorator syntax @permission_required('app.view_secret') above the my_view definition.
Django
Hint

Place @permission_required('app.view_secret') directly above def my_view(request):.

Practice

(1/5)
1. What is the main purpose of the @permission_required decorator in Django?
easy
A. To restrict access to a view based on user permissions
B. To automatically log users in
C. To change the URL of a view
D. To cache the output of a view

Solution

  1. Step 1: Understand the decorator's role

    The @permission_required decorator checks if a user has a specific permission before allowing access to a view.

  2. Step 2: Compare options with the decorator's function

    Only To restrict access to a view based on user permissions describes restricting access based on permissions, which matches the decorator's purpose.

  3. Final Answer:

    To restrict access to a view based on user permissions -> Option A

  4. Quick Check:

    Permission check = restrict access [OK]
Hint: Decorator controls access by permissions, not login or caching [OK]
Common Mistakes:
  • Confusing permission check with login functionality
  • Thinking it changes URLs
  • Assuming it caches view output
2. Which of the following is the correct way to use @permission_required to require the permission app.view_item on a Django view function?
easy
A. @permission_required('app.view_item')\ndef my_view(request):\n pass
B. @permission_required(app.view_item)\ndef my_view(request):\n pass
C. @permission_required('app.view_item', login_url='/login')\ndef my_view():\n pass
D. @permission_required('app.view_item', raise_exception=True)\nclass MyView(View):\n pass

Solution

  1. Step 1: Check correct syntax for permission string

    The permission must be a string in quotes, like 'app.view_item'. @permission_required('app.view_item')\ndef my_view(request):\n pass uses this correctly.

  2. Step 2: Confirm usage on a function-based view

    @permission_required('app.view_item')\ndef my_view(request):\n pass decorates a function with the correct signature (request parameter). @permission_required(app.view_item)\ndef my_view(request):\n pass misses quotes, C misses request parameter, D decorates a class incorrectly.

  3. Final Answer:

    @permission_required('app.view_item')\ndef my_view(request):\n pass -> Option A

  4. Quick Check:

    Permission string in quotes + function with request = correct [OK]
Hint: Permission must be a quoted string; function needs request param [OK]
Common Mistakes:
  • Omitting quotes around permission string
  • Using decorator on class without proper mixin
  • Missing request parameter in view function
3. Given this view code, what happens when a user without the app.change_item permission accesses /edit-item/? 
@permission_required('app.change_item', login_url='/login/')
def edit_item(request):
    return HttpResponse('Item edited')
medium
A. User gets a 403 Forbidden error
B. User is redirected to '/login/' page
C. User sees 'Item edited' message
D. User is redirected to homepage

Solution

  1. Step 1: Understand the decorator parameters

    The decorator requires 'app.change_item' permission and sets login_url='/login/' for unauthorized users.

  2. Step 2: Determine behavior for user without permission

    Since raise_exception is not set, the user is redirected to the login URL specified.

  3. Final Answer:

    User is redirected to '/login/' page -> Option B

  4. Quick Check:

    Missing permission + login_url = redirect to login [OK]
Hint: No raise_exception means redirect to login_url [OK]
Common Mistakes:
  • Assuming 403 error without raise_exception=True
  • Thinking user sees success message without permission
  • Confusing redirect URL
4. Identify the error in this code snippet using @permission_required: 
@permission_required('app.delete_item', raise_exception=True)
def delete_item():
    return HttpResponse('Deleted')
medium
A. raise_exception cannot be True
B. Permission string is not quoted
C. Missing request parameter in the view function
D. Decorator must be applied to a class, not a function

Solution

  1. Step 1: Check function signature

    The view function must accept at least one parameter, usually request. Here, it is missing.

  2. Step 2: Validate decorator usage

    The permission string is quoted correctly, and raise_exception=True is valid. The decorator can be used on functions.

  3. Final Answer:

    Missing request parameter in the view function -> Option C

  4. Quick Check:

    View needs request param, else error [OK]
Hint: View functions always need request parameter [OK]
Common Mistakes:
  • Forgetting the request argument in view functions
  • Thinking raise_exception=True is invalid
  • Believing decorator only works on classes
5. You want to protect a Django view so that only users with app.add_item permission can access it. If they lack permission, you want to show a 403 error instead of redirecting. Which is the correct way to do this?
hard
A. @permission_required('app.add_item', raise_exception=False)\ndef add_item(request):\n return HttpResponse('Item added')
B. @permission_required('app.add_item', login_url='/login/')\ndef add_item(request):\n return HttpResponse('Item added')
C. @permission_required('app.add_item')\ndef add_item(request):\n return HttpResponse('Item added')
D. @permission_required('app.add_item', raise_exception=True)\ndef add_item(request):\n return HttpResponse('Item added')

Solution

  1. Step 1: Understand the effect of raise_exception

    Setting raise_exception=True causes Django to return a 403 Forbidden error if the user lacks permission.

  2. Step 2: Check other options for behavior

    Options A, B, and C redirect to login or default behavior (no raise_exception=True); only D raises a 403.

  3. Final Answer:

    @permission_required('app.add_item', raise_exception=True)\ndef add_item(request):\n return HttpResponse('Item added') -> Option D

  4. Quick Check:

    raise_exception=True = 403 error [OK]
Hint: Use raise_exception=True for 403 error on missing permission [OK]
Common Mistakes:
  • Forgetting raise_exception=True to get 403 error
  • Assuming login_url triggers 403 error
  • Using raise_exception=False expecting error