Access Control - Basic Security Part 5

NB: This is the fifth post in a series of posts on web application security.

Proper access control is an absolutely key part of web app security and is easily overlooked—possibly because it’s so easy. In Django, to hide a link from someone, you just:

{% [if]( perms.myapp.mymodel %}
  1. {% endif %}

Hiding a link isn’t enough, though, you need to make sure that privileged pages are only accessible to the right set of users.

In Django, use the @permission_required decorator, and it’ll pretty much handle everything for you:

  1. def editthing(request, objid):
  2.     """Edit a MyObject."""

There are also @login_required and the more complex @user_passes_test decorators, helping provide a whole spectrum of authentication tools.

Read the docs. Use the tools. You’ll be fine.