Django

Django Authorization

Permissions, groups, and object access

Authorization

Authentication = who you are. Authorization = what you may do.

# Limit queryset to owner
def get_queryset(self):
    return super().get_queryset().filter(project__owner=self.request.user)
from django.contrib.auth.mixins import UserPassesTestMixin

class ProjectUpdateView(UserPassesTestMixin, UpdateView):
    def test_func(self):
        return self.get_object().owner == self.request.user

Use built-in Permission and groups for staff capabilities; object-level rules belong in views/querysets.