I hope you got a quick glance over some of the Django permission apps available and is now able to choose the one that best suits your application. If you know some other interesting apps with different approach we'd love to hear about them in the comments!,Django Guardian is an third party app focused on handling object level permissions. While the native Django permissions manages the access to all objects in a model, with guardian we can control the access to a particular instance of a model. A good thing is that it has a similar interface to Django's:,Django role permissions uses a more high level approach to manage access to views and objects. Instead of saying individually which user has access to which object, we will be defining roles with a default set of permissions defined.,Rules is a very interesting app that does not use any database model to manage object level permissions. Everything is done by verification functions, similar to the django-role-permissions object checkers but more powerful. We start by creating predicates:
But this is not limited to the admin. You can verify user permissions in your own views using the has_perm method provided in the user model.
if user.has_perm('foo.add_bar'):
return HttpResponse("You are authorized to add content!")
else:
return HttpResponse("Permission to add denied")you can also check user permissions in your templates, using the perms variable that is automatically added to the template context:
{
%
if perms.app_label.can_do_something %
}
This content will be shown users with can_do_something permission. {
% endif %
}
This content will be shown to all users.You can also create your own permissions to the models:
class Content(models.Model):
owner = models.ForeignKey(User)
content = models.TextField()
class Meta:
permissions = (
('view_content', 'View content'),
)You can do the same to groups:
>>> from django.contrib.auth.models
import Group
>>>
group = Group.objects.create(name = 'reviewers') >>>
assign_perm('view_content', group, content) >>>
joe.groups.add(group) >>>
joe.has_perm('view_content', content)
TrueDjango role permissions uses a more high level approach to manage access to views and objects. Instead of saying individually which user has access to which object, we will be defining roles with a default set of permissions defined.
from rolepermissions.roles
import AbstractUserRole
class Writer(AbstractUserRole):
available_permissions = {
'create_content': True,
'view_content': True,
}
class Reviewer(AbstractUserRole):
available_permissions = {
'create_content': False,
'view_content': True,
}For App1 on apps.py :
from django.apps
import AppConfig
from django.db.models.signals
import post_migrate
class App1Config(AppConfig):
name = 'app1'
def ready(self):
from.signals
import populate_models
post_migrate.connect(populate_models, sender = self)Create a signals.py file that contains :
def populate_models(sender, ** kwargs):
from django.apps
import apps
from.apps
import App1Config
from django.contrib.auth.models
import Group, Permission
from django.contrib.contenttypes.models
import ContentType
group_app, created = Group.objects.get_or_create(name = App1Config.name)
models = apps.all_models[App1Config.name]
for model in models:
content_type = ContentType.objects.get(
app_label = App1Config.name,
model = model
)
permissions = Permission.objects.filter(content_type = content_type)
group_app.permissions.add( * permissions)Create a file called permissions.py on each app and add :
from.apps
import App1Config
def is_in_group_app1(user):
return user.groups.filter(name = App1Config.name).exists()For CBV :
@method_decorator(user_passes_test(is_in_group_app1), name = 'dispatch')
class LogListView(ListView):
""
" Displays all logs saved on App1 "
""
model = Logger.objects.order_by('-date_created')Create a folder named templatestag and subfolder app1 and a has_perms.py file :
from django
import template
from app1.permissions
import is_in_group_app1
register = template.Library()
@register.filter
def has_perms(user):
return is_in_group_app1(user)This would be achieved by adding something like this:
def in_group_a(user):
return user.groups.filter(name = "Group A").exists()
def in_group_b(user):
return user.groups.filter(name = "Group B").exists()
@user_passes_test(in_group_a)
def app1_view(request):
...
@user_passes_test(in_group_b)
def app2_view(request):
...In order to acheive this as asked (with a single check based on the url prefix) you would have to have a single view per application, that was accessed via a url pattern like:
url(r'^app1/(?P<remaining_url>.*)$', 'app1.views.app1`)Your view would then have to run user_passes_test() as above, and manually parse the remaining_url parameter to work out what to do next:
@user_passes_test(in_group_a)
def app1(request, remaining_url):
# parse remaining_url and work out what to doJul 21, 2022 , Jul 22, 2021 Python News Brief (Q2 2021)
python manage.py shell user = User.objects.first()
from django.contrib.auth.decorators
import permission_required
@permission_required('product.change_name')
def admin_view(request):
""
"Raise permission denied exception or redirect user"
""from django.contrib.auth.mixins
import PermissionRequiredMixin
from django.views.generic
import ListView
class ProductListView(PermissionRequiredMixin, ListView):
permission_required = 'product.change_name'from django.db
import models
class Product(models.Model):
user = models.ForeignKey(User)
class Meta:
permissions = (("change_name", "can change name of product"), ){% if perms.app.change_name %}
<p>can change name of product</p>
{% endif %}
from django.contrib.auth.decorators
import permission_required
@permission_required('app.change_name')
def the_view(request):
...Last modified: Aug 19, 2022, by MDN contributors
INSTALLED_APPS = [
#… 'django.contrib.auth', #Core authentication framework and its
default models.
'django.contrib.contenttypes', #Django content type system(allows permissions to be associated with models).
#…
MIDDLEWARE = [
#… 'django.contrib.sessions.middleware.SessionMiddleware', #Manages sessions across requests
#… 'django.contrib.auth.middleware.AuthenticationMiddleware', #Associates users with requests using sessions.
#…from django.contrib.auth.models
import User
# Create user and save to the database
user = User.objects.create_user('myusername', 'myemail@crazymail.com', 'mypassword')
# Update fields and then save again
user.first_name = 'John'
user.last_name = 'Citizen'
user.save()#Add Django site authentication urls(
for login, logout, password management)
urlpatterns += [
path('accounts/', include('django.contrib.auth.urls')),
]accounts/ login/ [name='login']
accounts/ logout/ [name='logout']
accounts/ password_change/ [name='password_change']
accounts/ password_change/done/ [name='password_change_done']
accounts/ password_reset/ [name='password_reset']
accounts/ password_reset/done/ [name='password_reset_done']
accounts/ reset/<uidb64>/<token>/ [name='password_reset_confirm']
accounts/ reset/done/ [name='password_reset_complete']Exception Type: TemplateDoesNotExist Exception Value: registration / login.html
Note: Your folder structure should now look like the below:
locallibrary / #Django project folder catalog / locallibrary / templates / registration /
When django.contrib.auth is listed in your INSTALLED_APPS setting, it will ensure that four default permissions – add, change, delete, and view – are created for each Django model defined in one of your installed applications.,This is a list with all the views django.contrib.auth provides. For implementation details see Using the views.,Instance of the class to check the one time link. This will default to default_token_generator, it’s an instance of django.contrib.auth.tokens.PasswordResetTokenGenerator.,If you have the Django admin installed, you can also change user’s passwords on the authentication system’s admin pages.
>>> from django.contrib.auth.models
import User
>>>
user = User.objects.create_user('john', 'lennon@thebeatles.com', 'johnpassword')
# At this point, user is a User object that has already been saved
# to the database.You can
continue to change its attributes
#
if you want to change other fields. >>>
user.last_name = 'Lennon' >>>
user.save()$ python manage.py createsuperuser--username = joe--email = joe @example.com
>>> from django.contrib.auth.models
import User
>>>
u = User.objects.get(username = 'john') >>>
u.set_password('new password') >>>
u.save()from django.contrib.auth import authenticate user = authenticate(username = 'john', password = 'secret') if user is not None: # A backend authenticated the credentials else: # No backend authenticated the credentials
myuser.groups.set([group_list])
myuser.groups.add(group, group, ...)
myuser.groups.remove(group, group, ...)
myuser.groups.clear()
myuser.user_permissions.set([permission_list])
myuser.user_permissions.add(permission, permission, ...)
myuser.user_permissions.remove(permission, permission, ...)
myuser.user_permissions.clear()from myapp.models
import BlogPost
from django.contrib.auth.models
import Permission
from django.contrib.contenttypes.models
import ContentType
content_type = ContentType.objects.get_for_model(BlogPost)
permission = Permission.objects.create(
codename = 'can_publish',
name = 'Can Publish Posts',
content_type = content_type,
)You should be using the user_passes_test() or the permission_required() decorators on the views that implement App1 and App2.,You could do this, but I would recommend against it.,Django: Can we set permission to use an app?,Your view would then have to run user_passes_test() as above, and manually parse the remaining_url parameter to work out what to do next:
This would be achieved by adding something like this:
def in_group_a(user):
return user.groups.filter(name = "Group A").exists()
def in_group_b(user):
return user.groups.filter(name = "Group B").exists()
@user_passes_test(in_group_a)
def app1_view(request):
...
@user_passes_test(in_group_b)
def app2_view(request):
...In order to acheive this as asked (with a single check based on the url prefix) you would have to have a single view per application, that was accessed via a url pattern like:
url(r'^app1/(?P<remaining_url>.*)$', 'app1.views.app1`)Your view would then have to run user_passes_test() as above, and manually parse the remaining_url parameter to work out what to do next:
@user_passes_test(in_group_a)
def app1(request, remaining_url):
# parse remaining_url and work out what to doFor App1 on apps.py :
from django.apps
import AppConfig
from django.db.models.signals
import post_migrate
class App1Config(AppConfig):
name = 'app1'
def ready(self):
from.signals
import populate_models
post_migrate.connect(populate_models, sender = self)Create a signals.py file that contains :
def populate_models(sender, ** kwargs):
from django.apps
import apps
from.apps
import App1Config
from django.contrib.auth.models
import Group, Permission
from django.contrib.contenttypes.models
import ContentType
group_app, created = Group.objects.get_or_create(name = App1Config.name)
models = apps.all_models[App1Config.name]
for model in models:
content_type = ContentType.objects.get(
app_label = App1Config.name,
model = model
)
permissions = Permission.objects.filter(content_type = content_type)
group_app.permissions.add( * permissions)Create a file called permissions.py on each app and add :
from.apps
import App1Config
def is_in_group_app1(user):
return user.groups.filter(name = App1Config.name).exists()For CBV :
@method_decorator(user_passes_test(is_in_group_app1), name = 'dispatch')
class LogListView(ListView):
""
" Displays all logs saved on App1 "
""
model = Logger.objects.order_by('-date_created')Create a folder named templatestag and subfolder app1 and a has_perms.py file :
from django
import template
from app1.permissions
import is_in_group_app1
register = template.Library()
@register.filter
def has_perms(user):
return is_in_group_app1(user)The default permission policy may be set globally, using the DEFAULT_PERMISSION_CLASSES setting. For example.,You can also set the authentication policy on a per-view, or per-viewset basis, using the APIView class-based views.,This permission is not strictly required, since you can achieve the same result by using an empty list or tuple for the permissions setting, but you may find it useful to specify this class because it makes the intention explicit.,Note: when you set new permission classes via the class attribute or decorators you're telling the view to ignore the default list set in the settings.py file.
For example:
def get_object(self):
obj = get_object_or_404(self.get_queryset(), pk = self.kwargs["pk"])
self.check_object_permissions(self.request, obj)
return objThe default permission policy may be set globally, using the DEFAULT_PERMISSION_CLASSES setting. For example.
REST_FRAMEWORK = {
'DEFAULT_PERMISSION_CLASSES': [
'rest_framework.permissions.IsAuthenticated',
]
}If not specified, this setting defaults to allowing unrestricted access:
'DEFAULT_PERMISSION_CLASSES': [
'rest_framework.permissions.AllowAny',
]Or, if you're using the @api_view decorator with function based views.
from rest_framework.decorators
import api_view, permission_classes
from rest_framework.permissions
import IsAuthenticated
from rest_framework.response
import Response
@api_view(['GET'])
@permission_classes([IsAuthenticated])
def example_view(request, format = None):
content = {
'status': 'request was permitted'
}
return Response(content)Provided they inherit from rest_framework.permissions.BasePermission, permissions can be composed using standard Python bitwise operators. For example, IsAuthenticatedOrReadOnly could be written:
from rest_framework.permissions
import BasePermission, IsAuthenticated, SAFE_METHODS
from rest_framework.response
import Response
from rest_framework.views
import APIView
class ReadOnly(BasePermission):
def has_permission(self, request, view):
return request.method in SAFE_METHODS
class ExampleView(APIView):
permission_classes = [IsAuthenticated | ReadOnly]
def get(self, request, format = None):
content = {
'status': 'request was permitted'
}
return Response(content)