Bird
Raised Fist0
Djangoframework~10 mins

Why authorization matters in Django - Test Your Understanding

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Practice - 5 Tasks
Answer the questions below
1fill in blank
easy

Complete the code to import the Django authorization decorator.

Django
from django.contrib.auth.decorators import [1]
Drag options to blanks, or click blank then click option'
Alogin_required
Bauthenticate
Cpermission_required
Duser_passes_test
Attempts:
3 left
💡 Hint
Common Mistakes
Using 'authenticate' which is a function, not a decorator.
Confusing 'permission_required' with 'login_required'.
2fill in blank
medium

Complete the code to protect a view so only logged-in users can access it.

Django
@[1]
def dashboard(request):
    return render(request, 'dashboard.html')
Drag options to blanks, or click blank then click option'
Apermission_required
Bcsrf_exempt
Cuser_passes_test
Dlogin_required
Attempts:
3 left
💡 Hint
Common Mistakes
Using 'csrf_exempt' which is unrelated to authorization.
Using 'permission_required' without specifying permissions.
3fill in blank
hard

Fix the error in the code to check if a user has permission to add a post.

Django
if request.user.has_perm('[1]'):
    # allow adding post
    pass
Drag options to blanks, or click blank then click option'
Ablog.create_post
Bblog.add_post
Cpost.add_blog
Dpost.create_blog
Attempts:
3 left
💡 Hint
Common Mistakes
Swapping app label and model name.
Using 'create' instead of 'add' in permission codename.
4fill in blank
hard

Fill both blanks to restrict a view to users with 'change_article' permission and redirect unauthorized users.

Django
@permission_required('[1]', login_url='[2]')
def edit_article(request):
    return render(request, 'edit.html')
Drag options to blanks, or click blank then click option'
Ablog.change_article
B/login/
C/home/
Dblog.edit_article
Attempts:
3 left
💡 Hint
Common Mistakes
Using 'edit_article' instead of 'change_article' permission.
Redirecting to '/home/' instead of login page.
5fill in blank
hard

Fill all three blanks to create a dictionary comprehension that maps usernames to their email if the user is active.

Django
user_emails = {user.[1]: user.[2] for user in users if user.[3]
Drag options to blanks, or click blank then click option'
Ausername
Bemail
Cis_active
Dis_staff
Attempts:
3 left
💡 Hint
Common Mistakes
Using 'is_staff' instead of 'is_active' to filter users.
Swapping 'username' and 'email' in keys and values.

Practice

(1/5)
1. Why is authorization important in a Django web application?
easy
A. It helps in designing the user interface.
B. It speeds up the loading time of the website.
C. It automatically fixes bugs in the code.
D. It controls which users can access certain parts of the app.

Solution

  1. Step 1: Understand the role of authorization

    Authorization decides what parts of the app a user can see or use.

  2. Step 2: Compare with other options

    Speed, design, and bug fixing are unrelated to authorization.

  3. Final Answer:

    It controls which users can access certain parts of the app. -> Option D

  4. Quick Check:

    Authorization controls access = C [OK]
Hint: Authorization controls access, not speed or design [OK]
Common Mistakes:
  • Confusing authorization with authentication
  • Thinking authorization improves performance
  • Believing authorization designs UI
2. Which Django decorator is used to require a user to be logged in before accessing a view?
easy
A. @permission_required
B. @login_required
C. @csrf_protect
D. @require_GET

Solution

  1. Step 1: Identify the decorator for login requirement

    The decorator @login_required ensures only logged-in users access the view.

  2. Step 2: Differentiate from other decorators

    @permission_required checks permissions, @csrf_protect protects against CSRF, and @require_GET limits HTTP methods.

  3. Final Answer:

    @login_required -> Option B

  4. Quick Check:

    Login check decorator = @login_required [OK]
Hint: Login check uses @login_required decorator [OK]
Common Mistakes:
  • Using @permission_required instead of @login_required
  • Confusing CSRF protection with authorization
  • Mixing HTTP method decorators with authorization
3. Consider this Django view code:
@login_required
def dashboard(request):
    if not request.user.has_perm('app.view_dashboard'):
        return HttpResponse('Access Denied')
    return HttpResponse('Welcome to Dashboard')

What will a logged-in user without the 'app.view_dashboard' permission see?
medium
A. Access Denied
B. Welcome to Dashboard
C. A 404 Not Found error
D. A login page

Solution

  1. Step 1: Analyze the permission check

    The code checks if the user has 'app.view_dashboard' permission; if not, it returns 'Access Denied'.

  2. Step 2: Consider the user's permission

    The user is logged in but lacks the permission, so the 'Access Denied' response is returned.

  3. Final Answer:

    Access Denied -> Option A

  4. Quick Check:

    Permission missing shows 'Access Denied' = A [OK]
Hint: No permission means 'Access Denied' message shown [OK]
Common Mistakes:
  • Assuming login means full access
  • Thinking missing permission causes 404 error
  • Confusing permission denial with login redirect
4. What is wrong with this Django view code for enforcing authorization?
def profile(request):
    if not request.user.is_authenticated:
        return HttpResponse('Please log in')
    if not request.user.has_perm('app.view_profile'):
        return HttpResponse('Access Denied')
    return HttpResponse('User Profile')
medium
A. It should use @login_required decorator instead of manual check.
B. The permission check is missing.
C. It returns the wrong HTTP status codes.
D. It does not check if the user is a superuser.

Solution

  1. Step 1: Review authentication check method

    The code manually checks if the user is authenticated instead of using the standard @login_required decorator.

  2. Step 2: Understand best practice

    Using @login_required is cleaner and automatically redirects unauthenticated users to login.

  3. Final Answer:

    It should use @login_required decorator instead of manual check. -> Option A

  4. Quick Check:

    Use @login_required for authentication checks [OK]
Hint: Use @login_required decorator, not manual authentication checks [OK]
Common Mistakes:
  • Ignoring @login_required decorator
  • Assuming manual checks are better
  • Missing permission checks
5. You want to restrict access to a Django view so only users with both 'app.view_reports' permission and who are staff can access it. Which code snippet correctly enforces this?
hard
A. @login_required def reports(request): if not request.user.has_perm('app.view_reports'): return HttpResponse('Access Denied') return HttpResponse('Reports Page')
B. @login_required def reports(request): if request.user.is_staff or request.user.has_perm('app.view_reports'): return HttpResponse('Reports Page') return HttpResponse('Access Denied')
C. @permission_required('app.view_reports') def reports(request): if not request.user.is_staff: return HttpResponse('Access Denied') return HttpResponse('Reports Page')
D. @permission_required('app.view_reports') @superuser_required def reports(request): return HttpResponse('Reports Page')

Solution

  1. Step 1: Understand the permission and staff checks

    The view must check both permission and staff status before allowing access.

  2. Step 2: Analyze each option

    @permission_required('app.view_reports') def reports(request): if not request.user.is_staff: return HttpResponse('Access Denied') return HttpResponse('Reports Page') uses @permission_required to check permission and then manually checks is_staff, denying access if false. This correctly enforces both conditions.

  3. Step 3: Why other options fail

    @login_required def reports(request): if not request.user.has_perm('app.view_reports'): return HttpResponse('Access Denied') return HttpResponse('Reports Page') only checks permission but misses staff check; @login_required def reports(request): if request.user.is_staff or request.user.has_perm('app.view_reports'): return HttpResponse('Reports Page') return HttpResponse('Access Denied') uses OR instead of AND; @permission_required('app.view_reports') @superuser_required def reports(request): return HttpResponse('Reports Page') uses @superuser_required which is not a standard Django decorator and will cause a NameError.

  4. Final Answer:

    @permission_required('app.view_reports') def reports(request): if not request.user.is_staff: return HttpResponse('Access Denied') return HttpResponse('Reports Page') -> Option C

  5. Quick Check:

    @permission_required('app.view_reports') def reports(request): if not request.user.is_staff: return HttpResponse('Access Denied') return HttpResponse('Reports Page') [OK]
Hint: Use @permission_required plus manual staff check for AND condition [OK]
Common Mistakes:
  • Using OR instead of AND for permission and staff
  • Missing login or permission decorators
  • Using non-standard decorators without import