Access Control - Basic Security Part 5

NB: This is the fifth post in a series of posts on web application security.

Proper access control is an absolutely key part of web app security and is easily overlooked—possibly because it’s so easy. In Django, to hide a link from someone, you just:

1.
{% [if](http://smarty.php.net/if) perms.myapp.mymodel %}
2. 3.
{% endif %}
Hiding a link isn’t enough, though, you need to make sure that privileged pages are only accessible to the right set of users.

In Django, use the @permission_required decorator, and it’ll pretty much handle everything for you:

1.
@permission_required(‘myapp.change_mymodel’)
2.
def edit_thing(request, obj_id):
3.
    """Edit a MyObject."""
There are also [`@login_required`](https://docs.djangoproject.com/en/dev/topics/auth/#the-login-required-decorator) and the more complex [`@user_passes_test`](https://docs.djangoproject.com/en/dev/topics/auth/#django.contrib.auth.decorators.user_passes_test) decorators, helping provide a whole spectrum of authentication tools.

Read the docs. Use the tools. You’ll be fine.