Django permissions are only enforced in Admin interface by default. You
have to enforce them in your views by using `has_perm` method of `user`
instance - `user.has_perm('<app label>.<permission codename>')`
Here's the documentation for permissions
-
https://docs.djangoproject.com/en/dev/topics/auth/default/#permissions-and-authorization
Also, take a look at this blog post for some alternatives to built-in
permissions system
-
https://www.vinta.com.br/blog/2016/controlling-access-a-django-permission-apps-comparison/
On Monday, April 30, 2018 at 5:04:04 AM UTC+4, rsbaxter wrote:
>
> I'm trying to confirm if this is correct: I create a group with no
> permissions in it, and assign this group to a user. This user is not
> "staff status" nor is the user "superuser status" - they are only active.
> The user is not a member of any other groups - just the one with no
> permissions. Upon login, this user is still able to add, update and delete
> all models in the app. I think I'm misunderstanding the group
> functionality - is it correct that permissions assigned via groups are not
> automatically enforced by django and that further configuration is required
> to enforce the permissions assigned via the group(s) assigned to the user?
>
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/2c0bd344-cc7b-4691-9a73-4bd39ff7c538%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
