10 Authorization
This chapter covers
- Creating superusers and permissions
- Managing group membership
- Enforcing application-level authorization with Django
- Testing authorization logic
Authentication and authorization have a tendency to be confused for one another. Authentication relates to who a user is; authorization relates to what a user can do. Authentication is the prerequisite for authorization. In this chapter I cover authorization, also known as access control, as it relates to application development. In the next chapter I continue with OAuth 2, a standardized authorization protocol.
OWASP Top Ten #5
At the time of this writing, broken authorization is #5 on the OWASP Top Ten (https://owasp.org/www-project-top-ten/).
You begin this chapter by diving into application-level authorization with permissions. A permission is the most atomic form of authorization. It authorizes a person, or a group of people, to do one and only one thing. Next, you create a superuser account for Alice. Then you log into the Django administration console as Alice, where you manage user and group permissions. Afterward, I show you several ways to apply permissions and groups to control who can access protected resources.