How to add groups in Django using authentication system?

Django is equipped with built-in permissions system that assigns permissions to specific users or groups of users. Permissions used by the Django-admin site are as follows,

• Users with the "view" or "update" permission for that type of object have access to view objects.

• Only users with the "add" permission for that type of item have access to view the "add" form and add an object.

• Users having the "change" permission for that type of item have access to the change list, the "change" form, and the ability to change an object.

• Only users having the "delete" permission for that object type have access to delete it.

Permissions can be set for different types of objects and also to specific object instances. This can be done by using the has_add_permission(), has_view_permission(), has_change_permission() and has_delete_permission() methods.

These methods provided in the ModelAdmin class and using these methods, customization of permissions for different objects is possible.

<span class="com">#set user?s groups:</span><span class="pln">
</span><span class="typ">Myuser</span><span class="pun">.</span><span class="pln">groups </span><span class="pun">=</span><span class="pln">group_list

</span><span class="com">#to add or remove a user from a group the following commands can be used.</span><span class="pln">
</span><span class="typ">Myuser</span><span class="pun">.</span><span class="pln">groups</span><span class="pun">.</span><span class="kwd">add</span><span class="pun">(</span><span class="pln">grp1</span><span class="pun">,</span><span class="pln">grp2</span><span class="pun">)</span><span class="pln">
</span><span class="typ">Myuser</span><span class="pun">.</span><span class="pln">groups</span><span class="pun">.</span><span class="kwd">remove</span><span class="pun">(</span><span class="pln">grp1</span><span class="pun">,</span><span class="pln">grp2</span><span class="pun">)</span><span class="pln">

</span><span class="com">#To add, remove and clear all permissions the following commands can be used.</span><span class="pln">
</span><span class="typ">Myuser</span><span class="pun">.</span><span class="pln">permissions</span><span class="pun">=</span><span class="pln">permission_list
</span><span class="typ">Myuser</span><span class="pun">.</span><span class="pln">permissions</span><span class="pun">.</span><span class="kwd">add</span><span class="pun">(</span><span class="pln">p1</span><span class="pun">,</span><span class="pln">p2</span><span class="pun">,</span><span class="pln">p3</span><span class="pun">)</span><span class="pln">
</span><span class="typ">Myuser</span><span class="pun">.</span><span class="pln">permissions</span><span class="pun">.</span><span class="kwd">remove</span><span class="pun">(</span><span class="pln">p1</span><span class="pun">)</span><span class="pln">
</span><span class="typ">Myuser</span><span class="pun">.</span><span class="pln">permissions</span><span class="pun">.</span><span class="pln">clear</span><span class="pun">()</span>

All the above mentioned commands are usually written in the views.py file. In this file, the information entered by users is received and it is authenticated and authorized.

So the above mentioned codes should ideally be written in a views.py file in your project.

Default permissions are provided using django.contrib.auth which is listed in the INSTALLED_APPS in settings.py file. This will by default ensure that add, view, update and delete permissions are given to all the models in your project.

For example, you are running an ecommerce site and your website has customers and employees as its users, an app named review and a model named product. To check if a user has permissions regarding that model, the following lines of code can be used.

<span class="typ">User</span><span class="pun">.</span><span class="pln">has_perm</span><span class="pun">(?</span><span class="pln">review</span><span class="pun">.</span><span class="pln">add_product</span><span class="pun">?)</span><span class="pln">
</span><span class="typ">User</span><span class="pun">.</span><span class="pln">has_perm</span><span class="pun">(?</span><span class="pln">review</span><span class="pun">.</span><span class="pln">remove_product</span><span class="pun">?)</span><span class="pln">
</span><span class="typ">User</span><span class="pun">.</span><span class="pln">has_perm</span><span class="pun">(?</span><span class="pln">review</span><span class="pun">.</span><span class="pln">delete_product</span><span class="pun">?)</span><span class="pln">
</span><span class="typ">User</span><span class="pun">.</span><span class="pln">has_perm</span><span class="pun">(?</span><span class="pln">review</span><span class="pun">.</span><span class="pln">view_product</span><span class="pun">?)</span>

To check if a user has particular permissions instead of individually checking for all, the following can also be used.

<span class="typ">From</span><span class="pln"> django</span><span class="pun">.</span><span class="pln">contrib</span><span class="pun">.</span><span class="pln">auth</span><span class="pun">.</span><span class="pln">decorators </span><span class="kwd">import</span><span class="pln"> permission_required
</span><span class="lit">@permission_required</span><span class="pun">(?</span><span class="pln">review</span><span class="pun">.</span><span class="pln">add_product</span><span class="pun">?)</span><span class="pln">
</span><span class="typ">Def</span><span class="pln"> fun</span><span class="pun">(</span><span class="pln">request</span><span class="pun">):</span><span class="pln">
   </span><span class="pun">???</span><span class="pln">can </span><span class="kwd">raise</span><span class="pln"> error stating that permission </span><span class="kwd">is</span><span class="pln"> denied</span><span class="pun">.???</span>

Or

<span class="pun">{%</span><span class="pln"> </span><span class="kwd">if</span><span class="pln"> perms</span><span class="pun">.</span><span class="pln">review</span><span class="pun">.</span><span class="pln">add_product </span><span class="pun">%}</span>

The above line can also be used to check if user has permission.

Custom permissions

In case the 4 permissions given by Django do not satisfy your website needs, you can create custom permissions. Such as a find product permissions. The customer and employee can both have the permission to search for a product.

To design a custom permission, you can add it in the product model permissions.

<span class="typ">From</span><span class="pln"> django</span><span class="pun">.</span><span class="pln">db </span><span class="kwd">import</span><span class="pln"> models
</span><span class="typ">Class</span><span class="pln"> </span><span class="typ">Product</span><span class="pun">(</span><span class="pln">models</span><span class="pun">.</span><span class="typ">Model</span><span class="pun">);</span><span class="pln">
   </span><span class="typ">User</span><span class="pun">=</span><span class="pln">models</span><span class="pun">.</span><span class="typ">ForeignKey</span><span class="pun">(</span><span class="typ">User</span><span class="pun">)</span><span class="pln">
   </span><span class="typ">Class</span><span class="pln"> </span><span class="typ">Meta</span><span class="pun">:</span><span class="pln">
      </span><span class="typ">Permissions</span><span class="pun">=(</span><span class="pln">
         </span><span class="pun">("</span><span class="pln">search_product</span><span class="pun">","</span><span class="pln">search </span><span class="kwd">for</span><span class="pln"> vote</span><span class="pun">"),</span><span class="pln">
      </span><span class="pun">)</span>

Groups in Django

Django groups is a list of permissions. A group consists of multiple users. One user can be a part of many groups and one group can have multiple users.

The major advantage of using group is that, a user in a group automatically has all the permissions given to that group. Multiple groups can be created to restrict permissions.

To create groups in Django the following can be performed.

<span class="typ">From</span><span class="pln"> django</span><span class="pun">.</span><span class="pln">contrib</span><span class="pun">.</span><span class="pln">auth</span><span class="pun">.</span><span class="pln">models </span><span class="kwd">import</span><span class="pln"> </span><span class="typ">Group</span><span class="pln">
</span><span class="typ">Employee_group</span><span class="pun">,</span><span class="pln">created</span><span class="pun">=</span><span class="typ">Group</span><span class="pun">.</span><span class="pln">objects</span><span class="pun">.</span><span class="pln">get_or_create</span><span class="pun">(</span><span class="pln">name</span><span class="pun">=?</span><span class="pln">employee</span><span class="pun">?)</span><span class="pln">
</span><span class="typ">To</span><span class="pln"> assign a </span><span class="kwd">set</span><span class="pln"> </span><span class="kwd">of</span><span class="pln"> permissions to a particular </span><span class="kwd">group</span><span class="pln">
</span><span class="typ">Employee_group</span><span class="pun">.</span><span class="pln">permissions</span><span class="pun">.</span><span class="kwd">set</span><span class="pun">([</span><span class="pln">list </span><span class="kwd">of</span><span class="pln"> permissions</span><span class="pun">])</span><span class="pln">
</span><span class="typ">Employee_group</span><span class="pun">.</span><span class="pln">permissions</span><span class="pun">.</span><span class="kwd">remove</span><span class="pun">([</span><span class="pln">list </span><span class="kwd">of</span><span class="pln"> permissions</span><span class="pun">])</span><span class="pln">
</span><span class="typ">Employee_group</span><span class="pun">.</span><span class="pln">permissions</span><span class="pun">.</span><span class="kwd">add</span><span class="pun">([</span><span class="pln">list </span><span class="kwd">of</span><span class="pln"> permissions</span><span class="pun">])</span><span class="pln">
</span><span class="typ">Employee_group</span><span class="pun">.</span><span class="pln">permissions</span><span class="pun">.</span><span class="pln">clear</span><span class="pun">()</span>