Django: Getting Started Transcripts
Chapter: Users and Account Management
Lecture: Authentication vs authorization
Login or
purchase this course
to watch this video and the rest of the course contents.
0:00
Logging into a website is really about two things. First authentication that's proving who you are.
0:08
And second is authorization which covers what you can do.
0:12
The authorization part is typically based on data associated with the account you use to authenticate.
0:17
Authorization can be something simple like is or is not staff or something very complicated
0:25
based on group membership and individual permissions for pages or rows in a database. As I mentioned in the previous chapter,
0:32
the Django admin by default requires super user or staff authorization level for access. Just because you can log in,
0:40
doesn't mean you can go to all of the URLs. Authentication can be controlled in a few different ways.
0:47
You can explicitly do a look up in the database inside of a view,
0:51
checking whether the staff bit is set for example or Django provides some decorators that will check certain permissions for you.
0:59
The simplest, which just makes sure the user is logged in is called login required.
1:04
Adding this decorator to your view will take care of the permission check and will redirect users who aren't logged in to a login page.