How to add authorization to your Django website?

In order to work with users’ data, first we keep track of data using sessions and later we enable user login by using those sessions. A system that allows developers to authorize an auth/auth system is a term used to describe the system that enables user authentication and authorization.

The name (auth/auth) recognizes that dealing with users is often a two-step process.

• Check a username and password against a database of users to verify (authenticate) that a person is who he or she claims to be.

• Verify (authorize) that the user is authorized to do a specific operation, usually by comparing the user's permissions to a table.

There are many parts to the Django’s auth/auth system. All of these parts are seen below.

• Users − Your users are people who have signed up for your website.

• Permissions − These are binary (yes/no) markers that indicate whether a user is allowed to do a specific task.

• Groups − A mechanism to apply labels and permissions to several users in a general way.

• Messages − A simple way for users to queue and see system messages.

• Profiles − A way for adding custom fields to the user object.

Permissions and Authorization

Authorization is check what an authenticated user is permitted to use in your website. Say for example, you are running an ecommerce website and have employees and customers as your user roles. The permissions to employee user and customer user vary and to maintain that authorization is used.

Permissions essentially let the developer to check if a particular user is eligible to perform a specific action that he wants to perform. This is possible through permissions and groups.

Django is equipped with built-in permissions system that assigns permissions to specific users or groups of users. Permissions used by the Django-admin site are as follows,

• Users with the "view" or "update" permission for that type of object have access to view objects.

• Only users with the "add" permission for that type of item have access to view the "add" form and add an object.

• Users having the "change" permission for that type of item have access to the change list, the "change" form, and the ability to change an object.

• Only users having the "delete" permission for that object type have access to delete it.

Permissions can be set for different types of objects and also to specific object instances. This can be done by using the has_add_permission(), has_view_permission(), has_change_permission() and has_delete_permission() methods.

These methods provided in the ModelAdmin class and using these methods, customization of permissions for different objects is possible.

#set user’s groups:
Myuser.groups =group_list

#to add or remove a user from a group the following commands can be used.
Myuser.groups.add(grp1,grp2)
Myuser.groups.remove(grp1,grp2)

#To add, remove and clear all permissions the following commands can be used.
Myuser.permissions=permission_list
Myuser.permissions.add(p1,p2,p3)
Myuser.permissions.remove(p1)
Myuser.permissions.clear()

All the above mentioned commands are usually written in the views.py file. In this file, the information entered by users is received and it is authenticated and authorized.

So the above mentioned codes should ideally be written in a views.py file in a your project.

Generally, an app for login and an app for registration is created. Every app has a views.py file. Authentication and authorization of users during login and registration is done respectively in the views.py files.

Or if your project has multiple roles such as customer, employee, admin etc. then you will have to create multiple user roles. This can be done extending AbstractUser class in your models.py file.

From django.contrib.auth.models import AbstractUser
Class User(AbstractUser):
   EMPLOYEE=1
   CUSTOMER=2
   ROLE_CHOICES=(
      (EMPLOYEE,’Employee’)
      (CUSTOMER,’Customer’)
   )
      models.PositiveSmallIntegerField(choices=ROLE_CHOICES, blank=True, null=True)

All the above mentioned commands are usually written in the views.py file. In this file, the information entered by users is received and it is authenticated and authorized. So the above mentioned codes should ideally be written in a views.py file in your project.

Permissions in Django

Default permissions are provided using django.contrib.auth which is listed in the INSTALLED_APPS in settings.py file. This will by default ensure that add,view,update and delete permissions are given to all the models in your project.

For example, you are running an ecommerce site and your website has customers and employees as its users, an app named review and a model named product. To check if a user has permissions regarding that model, the following lines of code can be used.

User.has_perm(‘review.add_product’)
User.has_perm(‘review.remove_product’)
User.has_perm(‘review.delete_product’)
User.has_perm(‘review.view_product’)

To check if a user has particular permissions instead of individually checking for all, the following can also be used.

From django.contrib.auth.decorators import permission_required
@permission_required(‘review.add_product’)
Def fun(request):
   ‘’’can raise error stating that permission is denied.’’’

Or

{% if perms.review.add_product %}

The above line can also be used to check if user has permission. In this way authorization can be implemented in a Django project.