model permission assignment via groups requires further config at model level?

[rsbaxter]

I'm trying to confirm if this is correct: I create a group with no permissions in it, and assign this group to a user.  This user is not "staff status" nor is the user "superuser status" - they are only active.  The user is not a member of any other groups - just the one with no permissions.  Upon login, this user is still able to add, update and delete all models in the app.  I think I'm misunderstanding the group functionality - is it correct that permissions assigned via groups are not automatically enforced by django and that further configuration is required to enforce the permissions assigned via the group(s) assigned to the user?

[George Lubaretsi]

Django permissions are only enforced in Admin interface by default. You have to enforce them in your views by using `has_perm` method of `user` instance - `user.has_perm('<app label>.<permission codename>')`

Here's the documentation for permissions - https://docs.djangoproject.com/en/dev/topics/auth/default/#permissions-and-authorization

Also, take a look at this blog post for some alternatives to built-in permissions system - https://www.vinta.com.br/blog/2016/controlling-access-a-django-permission-apps-comparison/

[Rob B]

Thanks George - I understand now.  I never thought it would only apply to the admin interface but should have.  Kind regards,

Rob

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/2c0bd344-cc7b-4691-9a73-4bd39ff7c538%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[gibson...@u4sd.org]

that is good