Permissions & Groups System
Django's permission system controls what users can do. Every model automatically gets add, change, delete, and view permissions. Groups let you assign permissions to many users at once — like 'Editors' can edit posts, 'Admins' can delete them.
20 min•By Priygop Team•Updated 2026
Permissions
- Django auto-creates 4 permissions per model: add, change, delete, view
- Format: app_label.action_modelname (e.g., blog.add_post)
- user.has_perm('blog.add_post') — Check single permission
- user.has_perms(['blog.add_post', 'blog.change_post']) — Check multiple
- @permission_required('blog.add_post') — View-level check
- Groups — Assign permissions to a group, then add users to groups
- Custom permissions via model Meta class
Permissions & Groups
Permissions & Groups
# Checking permissions in views
# from django.contrib.auth.decorators import permission_required
# @permission_required('blog.add_post', raise_exception=True)
# def create_post(request):
# pass
# In templates
# {% if perms.blog.add_post %}
# <a href="{% url 'blog:create' %}">New Post</a>
# {% endif %}
# {% if perms.blog.delete_post %}
# <button>Delete</button>
# {% endif %}
# Custom permissions
# class Post(models.Model):
# class Meta:
# permissions = [
# ('publish_post', 'Can publish a post'),
# ('feature_post', 'Can feature a post'),
# ]
# Managing groups (admin or shell)
# from django.contrib.auth.models import Group, Permission
# editors = Group.objects.create(name='Editors')
# add_post = Permission.objects.get(codename='add_post')
# change_post = Permission.objects.get(codename='change_post')
# editors.permissions.add(add_post, change_post)
#
# # Add user to group
# user.groups.add(editors)
# # Check group permission
# user.has_perm('blog.add_post') # True (via group)Tip
Tip
Use Django's built-in permission system. Each model auto-creates add, change, delete, view permissions.
Diagram
Loading diagram…
QuerySets are LAZY — no DB hit until evaluated.
Common Mistake
Warning
Not checking permissions in views. Use @permission_required or UserPassesTestMixin to enforce authorization.
Practice Task
Note
(1) Add a custom permission to a model. (2) Assign it to a group. (3) Check permissions in views and templates.
Quick Quiz
Key Takeaways
- Django's permission system controls what users can do.
- Django auto-creates 4 permissions per model: add, change, delete, view
- Format: app_label.action_modelname (e.g., blog.add_post)
- user.has_perm('blog.add_post') — Check single permission