Authentication and authorization have a tendency to be confused with each other. Authentication relates to who a user is; authorization relates to what a user can do. Authentication and authorization are often referred to as authn and authz, respectively. Authentication is the prerequisite for authorization. In this chapter, I cover authorization, also known as access control, as it relates to application development. In the next chapter, I continue with OAuth 2, a standardized authorization protocol.
Note
At the time of this writing, broken authorization is number 5 on the OWASP Top Ten list of critical security risks (https://owasp.org/www-project -top-ten/).
You’ll begin this chapter by diving into application-level authorization with permissions. A permission is the most atomic form of authorization. It authorizes a person, or a group of people, to do one and only one thing. Next, you’ll create a superuser account for Alice. Then you’ll log into the Django administration console as Alice, where you’ll manage user and group permissions. Afterward, I’ll show you several ways to apply permissions and groups to control who can access protected resources.