Heads up! To view this whole video, sign in with your Courses account or enroll in your free 7-day trial. Sign In Enroll
Preview
Start a free Courses trial
to watch this video
Permissions control what users are allowed to do.
Permissions get into one of the hairier parts of Django, the contentypes framework. Have a look through the contenttypes docs if you want to know more. In short, though, it's a model that holds a reference to every non-abstract model in your project.
Like I said at the beginning of
the course, auth is usually made up of
0:00
two parts, authentication which is
identifying a user, and authorization.
0:03
Authentication has already been handled in
this project with registration, login and
0:08
logout views.
0:12
You can always tell who a user is.
0:13
Authorization, though,
isn't something I really talked about yet.
0:15
How do you tell in Django if a user
is allowed to do the thing that
0:18
they want to do?
0:21
Well you've used one form
of authorization already.
0:23
Views that just require an authenticated
user have a very simple form of
0:26
authorization too so long as the user is
authenticated they're also authorized.
0:29
Authorization can go
much deeper than that.
0:34
Django's basic form of authorization
is through permissions.
0:37
Every time you create a model Django
creates three new permissions.
0:40
Before I can talk about permissions,
0:44
though, I need to talk
about content types,
0:45
specifically the part of Django that's
known as the content types framework.
0:47
When you make a new non-abstract model of
Django, Django creates a content type in
0:52
each content type instance holds
an applicable like Posts and
0:57
a model name like Post.
1:01
Why store information like
this in the database?
1:03
It gives you a way to refer to
a specific model without knowing exactly
1:05
where that model is to find.
1:09
Each Django permission is
linked to a content type.
1:11
By default you get three permissions for
each content type, add, change and delete.
1:14
Add lets you add new
records to the database,
1:19
Change lets you change existing records,
and Delete lets you delete records.
1:21
You can also add custom
permissions to your models, too.
1:26
One thing I want to explicitly point
out these permissions are about models,
1:29
not model instances.
1:32
Django doesn't have a built in concept of
role level, or object level permissions.
1:34
So if a user has the change post
permission they can change all posts,
1:39
not just the ones that they own.
1:43
And the users that are marked as being
Super Users are automatically granted
1:45
all permissions.
1:49
This is one reason why you want to make
sure you only create as many Super Users
1:49
as you absolutely need.
1:53
But permissions are not just a user thing.
1:55
Groups are generic way of
lumping users together and
1:57
optionally giving them permissions.
2:00
Any user can belong to as many
groups as they need to, and
2:02
all members of a group have all
of the permissions of the group.
2:05
Now you could of course use groups
without any special permissions.
2:08
Take a little break, get a drink,
do some stretches, and
2:12
then come back to see how to
create custom permissions and
2:14
use permissions to control
what users are allowed to do.
2:17
You need to sign up for Treehouse in order to download course files.
Sign up