Bummer! This is just a preview. You need to be signed in with a Basic account to view the entire video.
Start a free Basic trial
to watch this video
Permissions control what users are allowed to do.
Permissions get into one of the hairier parts of Django, the contentypes
framework. Have a look through the contenttypes
docs if you want to know more. In short, though, it's a model that holds a reference to every non-abstract model in your project.
-
0:00
Like I said at the beginning of the course, auth is usually made up of
-
0:03
two parts, authentication which is identifying a user, and authorization.
-
0:08
Authentication has already been handled in this project with registration, login and
-
0:12
logout views.
-
0:13
You can always tell who a user is.
-
0:15
Authorization, though, isn't something I really talked about yet.
-
0:18
How do you tell in Django if a user is allowed to do the thing that
-
0:21
they want to do?
-
0:23
Well you've used one form of authorization already.
-
0:26
Views that just require an authenticated user have a very simple form of
-
0:29
authorization too so long as the user is authenticated they're also authorized.
-
0:34
Authorization can go much deeper than that.
-
0:37
Django's basic form of authorization is through permissions.
-
0:40
Every time you create a model Django creates three new permissions.
-
0:44
Before I can talk about permissions,
-
0:45
though, I need to talk about content types,
-
0:47
specifically the part of Django that's known as the content types framework.
-
0:52
When you make a new non-abstract model of Django, Django creates a content type in
-
0:57
each content type instance holds an applicable like Posts and
-
1:01
a model name like Post.
-
1:03
Why store information like this in the database?
-
1:05
It gives you a way to refer to a specific model without knowing exactly
-
1:09
where that model is to find.
-
1:11
Each Django permission is linked to a content type.
-
1:14
By default you get three permissions for each content type, add, change and delete.
-
1:19
Add lets you add new records to the database,
-
1:21
Change lets you change existing records, and Delete lets you delete records.
-
1:26
You can also add custom permissions to your models, too.
-
1:29
One thing I want to explicitly point out these permissions are about models,
-
1:32
not model instances.
-
1:34
Django doesn't have a built in concept of role level, or object level permissions.
-
1:39
So if a user has the change post permission they can change all posts,
-
1:43
not just the ones that they own.
-
1:45
And the users that are marked as being Super Users are automatically granted
-
1:49
all permissions.
-
1:49
This is one reason why you want to make sure you only create as many Super Users
-
1:53
as you absolutely need.
-
1:55
But permissions are not just a user thing.
-
1:57
Groups are generic way of lumping users together and
-
2:00
optionally giving them permissions.
-
2:02
Any user can belong to as many groups as they need to, and
-
2:05
all members of a group have all of the permissions of the group.
-
2:08
Now you could of course use groups without any special permissions.
-
2:12
Take a little break, get a drink, do some stretches, and
-
2:14
then come back to see how to create custom permissions and
-
2:17
use permissions to control what users are allowed to do.
You need to sign up for Treehouse in order to download course files.
Sign up