Security is a very important aspect in web development, sometimes so much underrated. While naming folders mostly on your project tree we can easily find auth, ask yourself if that is authentication or authorization? Well, this post about both authentication and authorization, but however emphasis will be brought more to authorization.
Authentication v/s Authorization
Authentication verifies who you are; authorization determines what you can access.
Small stories extract showing some people who access what they were not to:
2013 (Edward Snowden and the NSA incidence): Edward Snowden, a contractor for National Security Agency (NSA) by then, exploited his privileged access to leak classified documents revealing global surveillance programs to The Washington Post and The Guardian. The alleged stories about NSA spying on world leaders, foreign governments and the U.S. citizens, as well as its attempts to undermine internet security, became facts and putting the agency at the center of the worst scandal they could ever imagine.
2017 (Vanderbilt University Medical Center Breach): Two employees at Vanderbilt University Medical Center inappropriately accessed the medical records of 3,000 patients over 19 months. Their roles did not require such extensive access, indicating a failure to enforce the principle of least privilege.
2018 (SingHealth Data Breach): In Singapore, the personal particulars of 1.5 million patients were stolen from SingHealth's database. Attackers gained privileged access by compromising a front-end workstation and obtaining login credentials, exploiting weak access controls.
2024 (Sellafield Cybersecurity Failings): Sellafield, a nuclear site in Cumbria, UK, was fined nearly £400,000 after pleading guilty to cyber security failures over a four-year period.
2025 (Ambulance Victoria Data Breach): A former employee of Ambulance Victoria unlawfully transferred files containing personal details of approximately 3,000 staff members. The breach was attributed to the employee's failure to adhere to the organization's code of conduct, which prohibits the removal of data for non-work-related purposes.
And so on and so forth!
Different Authorization Methods
In Django, managing user permissions is crucial for building secure applications.
1 . Basic Authentication: This is using simple session authentication stories some credentials in the cookies.
from django.contrib.auth.decorators import login_required
@login_required
def restricted_view(request):
return render(request, 'restricted.html')
What's the bottleneck? if we have an admin and a normal user how do we differentiate?
2 . Hardcoded Flag-Based Permissions: We can say this is an extension of the later. Above basic authentication here we have a few roles on the system where we use boolean to say if it is or is not x-role. This can be ideal when dealing with solutions where we have 3 to 5 roles. Limitations comes in with complex permissions.
from django.shortcuts import redirect
from django.contrib.auth.models import User
from django.db import models
class Profile(models.Model):
user = models.OneToOneField(User, on_delete=models.CASCADE)
is_manager = models.BooleanField(default=False)
def manager_view(request):
if not request.user.profile.is_manager:
return redirect('permission_denied')
return render(request, 'manager_dashboard.html')
3 . Generic Flag-Based Permissions: Each model created in Django by default has a few permissions as metadata and this can be edited or customized in the Meta class of the model.
class Document(models.Model):
title = models.CharField(max_length=200)
class Meta:
permissions = [
("view_document", "Can view documents"),
("edit_document", "Can edit documents"),
]
To check or verify the permission, we can check like we see below:
from django.contrib.auth.decorators import permission_required
@permission_required('documents.view_document', login_url='login')
def document_list(request):
documents = Document.objects.all()
return render(request, 'documents/list.html', {'documents': documents})
We can check on the templates too:
{% if perms.documents.view_document %}
<div class="document-list">
{% for doc in documents %}
<p>{{ doc.title }}</p>
{% endfor %}
</div>
{% endif %}
The limitations here comes when we might need to split the users in groups of user and assigning some permission access to some resources.
4 . Role-Based Access Control (RBAC): Django is a powerful method for managing user permissions by assigning roles to users. Instead of managing permissions individually, RBAC groups them into roles like "Admin," "Editor," and "Viewer." Each role is associated with specific permissions, simplifying the management process. In Django, you can implement RBAC using the built-in Group model and Permission system. By creating groups with predefined permissions and assigning users to these groups, you can easily control access to different parts of your application. This approach enhances security, scalability, and maintainability, making it ideal for complex applications with multiple user roles.
Let's CRAFT?
from django.db import models
from django.contrib.auth.models import Group, Permission
from django.contrib.auth.mixins import UserPassesTestMixin
from django.views.generic import ListView
class Role(models.Model):
name = models.CharField(max_length=50)
group = models.OneToOneField(Group, on_delete=models.CASCADE)
def __str__(self):
return self.name
class DocumentListView(UserPassesTestMixin, ListView):
model = Document
template_name = 'documents/list.html'
def test_func(self):
return self.request.user.has_perm('documents.view_document')
We can also go into a middleware.
# middleware.py
from django.utils.deprecation import MiddlewareMixin
class RBACMiddleware(MiddlewareMixin):
def process_view(self, request, view_func, view_args, view_kwargs):
# Custom permission checks here
if request.path.startswith('/admin') and not request.user.is_staff:
return HttpResponseForbidden("Access denied")
#settings.py
MIDDLEWARE = [
# ...
'hello_app.middleware.RBACMiddleware',
]
We can still improve that, Don't miss out the next blog posts. Don't miss out anything. Follow me and subscribe not to miss out.
Conclusion
Role-Based Access Control (RBAC) is a widely-used method for managing user permissions in Django, but it has several limitations. RBAC struggles with fine-grained permissions, requiring excessive roles for granular access control. Role explosion occurs when roles and permissions become overly complex, leading to management challenges. RBAC lacks context awareness, treating all users within a role uniformly, which can be problematic in dynamic environments. Hierarchical role management is limited, making it difficult to implement complex inheritance structures. User experience can suffer due to unclear role definitions, and misconfigurations pose security risks. Additionally, RBAC may face scalability issues in large systems with thousands of users and roles. Despite these limitations, RBAC remains a robust solution for applications with well-defined roles and permissions. For more complex scenarios, combining RBAC with other access control methods like Attribute-Based Access Control (ABAC) or Policy-Based Access Control (PBAC) can enhance flexibility and security.
Top comments (2)
Amazing craft🙏❤️
I'm glad we are crafting together