10 Authorization

 

This chapter covers

  • Creating superusers and permissions
  • Managing group membership
  • Enforcing application-level authorization with Django
  • Testing authorization logic

Authentication and authorization have a tendency to be confused with each other. Authentication relates to who a user is; authorization relates to what a user can do. Authentication and authorization are often referred to as authn and authz, respectively. Authentication is the prerequisite for authorization. In this chapter, I cover authorization, also known as access control, as it relates to application development. In the next chapter, I continue with OAuth 2, a standardized authorization protocol.

Note

At the time of this writing, broken authorization is number 5 on the OWASP Top Ten list of critical security risks (https://owasp.org/www-project -top-ten/).

You’ll begin this chapter by diving into application-level authorization with permissions. A permission is the most atomic form of authorization. It authorizes a person, or a group of people, to do one and only one thing. Next, you’ll create a superuser account for Alice. Then you’ll log into the Django administration console as Alice, where you’ll manage user and group permissions. Afterward, I’ll show you several ways to apply permissions and groups to control who can access protected resources.

10.1 Application-level authorization

10.1.1 Permissions

10.1.2 User and group administration

10.2 Enforcing authorization

10.2.1 The low-level hard way

10.2.2 The high-level easy way

10.2.3 Conditional rendering

10.2.4 Testing authorization

10.3 Antipatterns and best practices