Slide 101
Slide 101 text
Permissions
Once users are authenticated, they can be checked for permissions. Django ships with three “classes” of users. Superusers, like you make when you start your project,
can do anything they want on your site. They are assumed to have all permissions.
Next are authenticated users. Each of them, according to their own personal permissions and the permissions of the Group they belong to, can do particular things
around your site. Maybe they can create recipes but they can’t delete them, for instance.
And, lastly, Django has an anonymous user. These users are not authenticated and generally aren’t allowed to do anything.
Django doesn’t come with object- or row-level permissions, so you can’t automatically say “OK, Jill, you can edit the blog posts that you wrote, but not the one’s that
Omar wrote”. Packages like django-guardian make this possible and fairly easy. You can also write checks like this into your views, mixins, or model managers.