Monday, 19 July 2021

*Episode 24* PYTHON (Authorization of Django)

 


Authorization


This episode covers :-


 1) How to manage user permissions with groups.

 2) How to manage access using decorators.


  •  Setup :-

Terminal

cp -fr 24-Object-Manipulation 26-Authorization

cd 26-Authorization

source ../venv/bin/activate


  •  Adding the Editor group :-

     Visit admin and add a new “Editor” group using the “+Add” link:



     Select the following permissions and click save:



  • Creating a test user :-

    Visit admin and add a new user using the “+Add” link.



     Add user to the Editor group:



Check Staff status checkbox and save:


     Open another browser and log in the testuser in admin. Our testuser has now permissions to manage Flower items:



    If you remove the testuser from the Editor group, then the admin interface would show the following message:



      Our testuser can still login to the admin because the Staff status is still enabled for the account.


  •  Using permissions :-

     Edit myapp index.html page and add if statements to check the user permissions:
myapp/templates/myapp/index.html
{{ request.user.get_all_permissions }} <!-- here -->
<div class="card-columns">
{% for flower in flowers %}
...
{% if perms.myapp.change_flower %} <!-- here -->
<a href="{% url 'edit' pk=flower.pk %}" class="card\
-link">Edit</a>
{% endif %}
{% if perms.myapp.delete_flower %} <!-- here -->
<a href="{% url 'delete' pk=flower.pk %}" class="ca\
rd-link">Delete</a>
{% endif %}
...
{% endfor %}
</div>

     {{ request.user.get_all_permissions }} shows the current user
permissions.


     Now only users with correct permissions will see the Edit and Delete links.

  •  Using decorators :-

     But currently anyone can manage flowers using our custom forms. Let’s restrict access with decorators.

     Edit myapp views.py file and add the decorators:
myapp/views.py
from django.contrib.auth.decorators import permission_requi\
red # < here
...

def index(request):

...

@permission_required('myapp.add_flower') # < here

def create(request):

...

@permission_required('myapp.change_flower') # < here

def edit(request, pk=None):

...

@permission_required('myapp.change_delete') # < here

def delete(request, pk=None):

...


    Now only accounts with the right permissions can access these views.


  • In Details :-

 Authentication vs authorization :-


     Authentication is about verifying a user. Authorization is about restricting or allowing access to resources.


     With Groups you can give multiple permissions to users at once. The Editor group contains permissions for adding, changing and deleting flowers. The user who belongs to the Editor group will get all these permissions.


    {{ request.user.get_all_permissions }} reveals the machine names for the current user permissions:

User permissions

{'myapp.delete_flower',

'myapp.change_flower',

'myapp.add_flower'}


     You can use perms.PERMISSION in templates to access the current user permissions:

Checking user permissions

{% if perms.myapp.change_flower %}

...

{% endif %}


Controlling access with decorators :-


     Decorators allow us to dynamically alter a function or a class. Django provides some useful decorators related to user access: https://samuli.to/Auth-Decorators.

Using a decorator

@permission_required('myapp.add_flower')

def create(request):

...


     Another useful is the login_required decorator:

@login_required decorator

@login_required

def profile(request):

...


     In this case you would have to be logged-in to access the profile page. Otherwise the visitor will be redirected to a URL specified with settings.LOGIN_URL.


Summary


  •  You can group permissions and assign users to these groups.
  •  Current user permissions are available in templates using the {{ perms }} template variable.
  •  {{ request.user.get_all_permissions }} displays all permissions for the current logged-in user.
  •  @permission_required() decorator checks if the current user has a particular permission. This is a convenient way to restrict access to specific views.
  •  @login_required is a more general decorator that requires that user has to be logged-in.

👈Episode 23(P).                                                                           Episode 25(P)👉
Share This Post

PRINT THIS POST
By SOURABH KUMAR at
Labels: , ,

No comments:

Post a Comment

If you have any doubts. Please let me know.

Subscribe to: Post Comments (Atom)

Featured post

*Episode 1* MCQ for Govt. Job/ Private Job/ MNCs

  Topic:- One Word Substitution 1) Especially skilled in storytelling  Answer:- Raconteur 2) Fear of loneliness Answer:- Eremophobia  3) Usa...