Bummer! This is just a preview. You need to be signed in with a Basic account to view the entire video.

Preview

Start a free Basic trial
to watch this video

Sign up for Treehouse

Permissions

2:20 with Kenneth Love

Permissions control what users are allowed to do.

Permissions get into one of the hairier parts of Django, the contentypes framework. Have a look through the contenttypes docs if you want to know more. In short, though, it's a model that holds a reference to every non-abstract model in your project.

  • 0:00

    Like I said at the beginning of the course, auth is usually made up of

  • 0:03

    two parts, authentication which is identifying a user, and authorization.

  • 0:08

    Authentication has already been handled in this project with registration, login and

  • 0:12

    logout views.

  • 0:13

    You can always tell who a user is.

  • 0:15

    Authorization, though, isn't something I really talked about yet.

  • 0:18

    How do you tell in Django if a user is allowed to do the thing that

  • 0:21

    they want to do?

  • 0:23

    Well you've used one form of authorization already.

  • 0:26

    Views that just require an authenticated user have a very simple form of

  • 0:29

    authorization too so long as the user is authenticated they're also authorized.

  • 0:34

    Authorization can go much deeper than that.

  • 0:37

    Django's basic form of authorization is through permissions.

  • 0:40

    Every time you create a model Django creates three new permissions.

  • 0:44

    Before I can talk about permissions,

  • 0:45

    though, I need to talk about content types,

  • 0:47

    specifically the part of Django that's known as the content types framework.

  • 0:52

    When you make a new non-abstract model of Django, Django creates a content type in

  • 0:57

    each content type instance holds an applicable like Posts and

  • 1:01

    a model name like Post.

  • 1:03

    Why store information like this in the database?

  • 1:05

    It gives you a way to refer to a specific model without knowing exactly

  • 1:09

    where that model is to find.

  • 1:11

    Each Django permission is linked to a content type.

  • 1:14

    By default you get three permissions for each content type, add, change and delete.

  • 1:19

    Add lets you add new records to the database,

  • 1:21

    Change lets you change existing records, and Delete lets you delete records.

  • 1:26

    You can also add custom permissions to your models, too.

  • 1:29

    One thing I want to explicitly point out these permissions are about models,

  • 1:32

    not model instances.

  • 1:34

    Django doesn't have a built in concept of role level, or object level permissions.

  • 1:39

    So if a user has the change post permission they can change all posts,

  • 1:43

    not just the ones that they own.

  • 1:45

    And the users that are marked as being Super Users are automatically granted

  • 1:49

    all permissions.

  • 1:49

    This is one reason why you want to make sure you only create as many Super Users

  • 1:53

    as you absolutely need.

  • 1:55

    But permissions are not just a user thing.

  • 1:57

    Groups are generic way of lumping users together and

  • 2:00

    optionally giving them permissions.

  • 2:02

    Any user can belong to as many groups as they need to, and

  • 2:05

    all members of a group have all of the permissions of the group.

  • 2:08

    Now you could of course use groups without any special permissions.

  • 2:12

    Take a little break, get a drink, do some stretches, and

  • 2:14

    then come back to see how to create custom permissions and

  • 2:17

    use permissions to control what users are allowed to do.

You need to sign up for Treehouse in order to download course files.

Sign up