Django
Django Authorization
Permissions, groups, and object access
Authorization
Authentication = who you are. Authorization = what you may do.
# Limit queryset to owner
def get_queryset(self):
return super().get_queryset().filter(project__owner=self.request.user)
from django.contrib.auth.mixins import UserPassesTestMixin
class ProjectUpdateView(UserPassesTestMixin, UpdateView):
def test_func(self):
return self.get_object().owner == self.request.user
Use built-in Permission and groups for staff capabilities; object-level rules belong in views/querysets.