0
Jump into concepts and practice - no test required
Recommended
Authorization controls what users can do in your app. It keeps data safe and ensures users only access what they should.
from django.contrib.auth.decorators import login_required, permission_required @login_required def my_view(request): # code for logged-in users only @permission_required('app_label.permission_code') def admin_view(request): # code for users with specific permission
@login_required makes sure only logged-in users can access the view.
@permission_required checks if the user has a specific permission before running the view.
from django.http import HttpResponse from django.contrib.auth.decorators import login_required @login_required def dashboard(request): return HttpResponse('Welcome to your dashboard!')
from django.http import HttpResponse from django.contrib.auth.decorators import permission_required @permission_required('blog.change_post') def edit_post(request): return HttpResponse('Edit your post here.')
This example shows two views: one for any logged-in user to see their profile, and one for users with the 'view_user' permission to access the admin panel.
from django.http import HttpResponse from django.contrib.auth.decorators import login_required, permission_required @login_required def profile(request): return HttpResponse(f'Hello, {request.user.username}! This is your profile.') @permission_required('auth.view_user') def admin_panel(request): return HttpResponse('Welcome to the admin panel.')
Authorization is different from authentication. Authentication checks who you are; authorization checks what you can do.
Always protect sensitive views with proper authorization to avoid security risks.
Django provides easy decorators to add authorization checks to your views.
Authorization controls user access to parts of your app.
Use Django decorators like @login_required and @permission_required to enforce authorization.
Proper authorization keeps your app safe and users' data private.
@login_required ensures only logged-in users access the view.@permission_required checks permissions, @csrf_protect protects against CSRF, and @require_GET limits HTTP methods.@login_required
def dashboard(request):
if not request.user.has_perm('app.view_dashboard'):
return HttpResponse('Access Denied')
return HttpResponse('Welcome to Dashboard')def profile(request):
if not request.user.is_authenticated:
return HttpResponse('Please log in')
if not request.user.has_perm('app.view_profile'):
return HttpResponse('Access Denied')
return HttpResponse('User Profile')@login_required decorator.@login_required is cleaner and automatically redirects unauthenticated users to login.@permission_required to check permission and then manually checks is_staff, denying access if false. This correctly enforces both conditions.@superuser_required which is not a standard Django decorator and will cause a NameError.