โฎ Previous Next โฏ

Permissions

  • Understand Django permissions and how to implement role-based access control.

  • What are Permissions in Django?

    Permissions define actions a user is allowed to perform.

    Examples:

    • Can add a product

    • Can edit a blog post

    • Can delete a user

    Django permissions are:

    • Model-based

    • Database-driven

    • Automatically created

    Default Permissions in Django

    For every model, Django automatically creates:

    Permission

    Codename

    Add

    add_modelname

    Change

    change_modelname

    Delete

    delete_modelname

    View

    view_modelname

    Example for Book model:

    • add_book

    • change_book

    • delete_book

    • view_book

    Permission Architecture (Flow)

    User โ†’ Group โ†’ Permissions โ†’ Access Control


    โœ” Users can have permissions directly
    โœ” Users can inherit permissions from groups

    Groups in Django

    A Group is a collection of permissions.

    Why use Groups?

    • Easy role management

    • Avoid assigning permissions one by one

    • Ideal for real-world roles (Admin, Editor, Staff)

    Creating Models for Permission Demo

Sample Model

A simple Article model for demonstrating permissions. 

# models.py
from django.db import models

class Article(models.Model):
    title = models.CharField(max_length=200)
    content = models.TextField()
    is_published = models.BooleanField(default=False)

    def __str__(self):
        return self.title

  • After creating model:

    python manage.py makemigrations

    python manage.py migrate

    Working with Permissions in Code

Check User Permission

Use has_perm() to check permissions. 

if request.user.has_perm('app_name.add_article'):
    print("User can add article")

  • Creating Groups & Assigning Permissions (Admin Panel)

    Steps:

    1. Open Django Admin

    2. Go to Groups

    3. Create group (e.g., Editor)

    4. Assign permissions

    5. Add users to group

    Example Groups:

    • Admin โ†’ All permissions

    • Editor โ†’ Add & change articles

    • Viewer โ†’ View only

    Programmatically Creating Groups

Create Group with Permissions

Create a group and assign permissions using ORM. 

from django.contrib.auth.models import Group, Permission
from django.contrib.contenttypes.models import ContentType
from .models import Article

content_type = ContentType.objects.get_for_model(Article)
permissions = Permission.objects.filter(content_type=content_type)

editor_group, created = Group.objects.get_or_create(name='Editor')
editor_group.permissions.set(permissions)

  • User Roles (Role-Based Access Control)

    Django does not provide roles directly, but we implement roles using:

    • Groups

    • Permissions

    • Custom logic

    Common Roles:

    Role

    Description

    Admin

    Full system access

    Manager

    Manage content & users

    Editor

    Create & update content

    Viewer

    Read-only


  • Restricting Views Using Permissions

Permission Protected View

Use decorator to restrict access. 

from django.contrib.auth.decorators import permission_required

@permission_required('app_name.add_article', raise_exception=True)
def add_article(request):
    return HttpResponse("You can add article")

  • Permissions in Templates

Template Permission Check

Show buttons conditionally. 

{% if perms.app_name.change_article %}
<button>Edit</button>
{% endif %}

  • Superuser vs Staff

    User Type

    Description

    Superuser

    Has all permissions

    Staff

    Can access admin (limited)

    Normal User

    No admin access

    Importance of Permissions

    โœ” Secure application
    โœ” Prevent unauthorized actions
    โœ” Scalable user management
    โœ” Industry-standard access control

    Realโ€‘World Example

    College Management System

    • Admin โ†’ Manage users, courses

    • Teacher โ†’ Add marks, update syllabus

    • Student โ†’ View results only

โฎ Previous Next โฏ