Django: Getting Started Transcripts
Chapter: Users and Account Management
Lecture: Authentication vs authorization

Login or purchase this course to watch this video and the rest of the course contents.
0:00 Logging into a website is really about two things. First authentication that's proving who you are.
0:08 And second is authorization which covers what you can do.
0:12 The authorization part is typically based on data associated with the account you use to authenticate.
0:17 Authorization can be something simple like is or is not staff or something very complicated
0:25 based on group membership and individual permissions for pages or rows in a database. As I mentioned in the previous chapter,
0:32 the Django admin by default requires super user or staff authorization level for access. Just because you can log in,
0:40 doesn't mean you can go to all of the URLs. Authentication can be controlled in a few different ways.
0:47 You can explicitly do a look up in the database inside of a view,
0:51 checking whether the staff bit is set for example or Django provides some decorators that will check certain permissions for you.
0:59 The simplest, which just makes sure the user is logged in is called login required.
1:04 Adding this decorator to your view will take care of the permission check and will redirect users who aren't logged in to a login page.

Talk Python's Mastodon Michael Kennedy's Mastodon