access control

Access Control - Basic Security Part 5

James Socol

23 Jul 2012 • 1 min read

NB: This is the fifth post in a series of posts on web application security.

Proper access control is an absolutely key part of web app security and is easily overlooked—possibly because it’s so easy. In Django, to hide a link from someone, you just:

{% [if](http://smarty.php.net/if) perms.myapp.mymodel %}

{% url myapp:mymodel_edit obj.pk %}">Edit

{% endif %}

Hiding a link isn’t enough, though, you need to make sure that privileged pages are only accessible to the right set of users.

In Django, use the @permission_required decorator, and it’ll pretty much handle everything for you:

@permission_required(‘myapp.change_mymodel’)

def edit_thing(request, obj_id):

"""Edit a MyObject."""

There are also [`@login_required`](https://docs.djangoproject.com/en/dev/topics/auth/#the-login-required-decorator) and the more complex [`@user_passes_test`](https://docs.djangoproject.com/en/dev/topics/auth/#django.contrib.auth.decorators.user_passes_test) decorators, helping provide a whole spectrum of authentication tools.

Read the docs. Use the tools. You’ll be fine.

Go to the series index.
Go to the previous post in the series, Injections, SQL and otherwise.
Go to the next post in the series, Session Fixation and Hijacking.

Sign up for more like this.