Introduction
Security is a crucial aspect of web development, especially when building applications that manage user-specific data. How do you ensure that users can only access their own records? How do you protect views from unauthorized access?
In my latest tutorial, I walk you through how to map users to records and protect views in Django, ensuring your application is secure and efficient.
Why is User Mapping & View Protection Important?
In Django applications, it’s common to store user-related data, such as orders, profiles, or messages. However, if proper security measures aren’t in place, users might access or modify records that don’t belong to them.
To prevent this, we need to:
Map users to their specific records (so they can only access their own data)
Protect views (restrict access to authorized users only)
How to Map Users to Records in Django
To associate a user with specific records, we typically use Django’s ForeignKey field in models.
Here’s a basic example:
<span>from</span> <span>django.db</span> <span>import</span> <span>models</span><span>from</span> <span>django.contrib.auth.models</span> <span>import</span> <span>User</span><span>class</span> <span>UserProfile</span><span>(</span><span>models</span><span>.</span><span>Model</span><span>):</span><span>user</span> <span>=</span> <span>models</span><span>.</span><span>OneToOneField</span><span>(</span><span>User</span><span>,</span> <span>on_delete</span><span>=</span><span>models</span><span>.</span><span>CASCADE</span><span>)</span><span>bio</span> <span>=</span> <span>models</span><span>.</span><span>TextField</span><span>()</span><span>created_at</span> <span>=</span> <span>models</span><span>.</span><span>DateTimeField</span><span>(</span><span>auto_now_add</span><span>=</span><span>True</span><span>)</span><span>from</span> <span>django.db</span> <span>import</span> <span>models</span> <span>from</span> <span>django.contrib.auth.models</span> <span>import</span> <span>User</span> <span>class</span> <span>UserProfile</span><span>(</span><span>models</span><span>.</span><span>Model</span><span>):</span> <span>user</span> <span>=</span> <span>models</span><span>.</span><span>OneToOneField</span><span>(</span><span>User</span><span>,</span> <span>on_delete</span><span>=</span><span>models</span><span>.</span><span>CASCADE</span><span>)</span> <span>bio</span> <span>=</span> <span>models</span><span>.</span><span>TextField</span><span>()</span> <span>created_at</span> <span>=</span> <span>models</span><span>.</span><span>DateTimeField</span><span>(</span><span>auto_now_add</span><span>=</span><span>True</span><span>)</span>from django.db import models from django.contrib.auth.models import User class UserProfile(models.Model): user = models.OneToOneField(User, on_delete=models.CASCADE) bio = models.TextField() created_at = models.DateTimeField(auto_now_add=True)
Enter fullscreen mode Exit fullscreen mode
With this setup, each user can have only one profile, and we can filter records based on the authenticated user.
Querying User-Specific Records
<span>def</span> <span>user_profile</span><span>(</span><span>request</span><span>):</span><span>profile</span> <span>=</span> <span>UserProfile</span><span>.</span><span>objects</span><span>.</span><span>get</span><span>(</span><span>user</span><span>=</span><span>request</span><span>.</span><span>user</span><span>)</span><span>return</span> <span>render</span><span>(</span><span>request</span><span>,</span> <span>"</span><span>profile.html</span><span>"</span><span>,</span> <span>{</span><span>"</span><span>profile</span><span>"</span><span>:</span> <span>profile</span><span>})</span><span>def</span> <span>user_profile</span><span>(</span><span>request</span><span>):</span> <span>profile</span> <span>=</span> <span>UserProfile</span><span>.</span><span>objects</span><span>.</span><span>get</span><span>(</span><span>user</span><span>=</span><span>request</span><span>.</span><span>user</span><span>)</span> <span>return</span> <span>render</span><span>(</span><span>request</span><span>,</span> <span>"</span><span>profile.html</span><span>"</span><span>,</span> <span>{</span><span>"</span><span>profile</span><span>"</span><span>:</span> <span>profile</span><span>})</span>def user_profile(request): profile = UserProfile.objects.get(user=request.user) return render(request, "profile.html", {"profile": profile})
Enter fullscreen mode Exit fullscreen mode
This ensures that a user can only see their own profile.
How to Protect Views in Django
Django provides several built-in methods to restrict access to views, such as:
@login_required – Ensures only authenticated users can access a view
@permission_required – Grants access based on user permissions
@user_passes_test – Custom validation for advanced control
Example: Restricting Access with @login_required
<span>from</span> <span>django.contrib.auth.decorators</span> <span>import</span> <span>login_required</span><span>from</span> <span>django.shortcuts</span> <span>import</span> <span>render</span><span>@login_required</span><span>def</span> <span>dashboard</span><span>(</span><span>request</span><span>):</span><span>return</span> <span>render</span><span>(</span><span>request</span><span>,</span> <span>"</span><span>dashboard.html</span><span>"</span><span>)</span><span>from</span> <span>django.contrib.auth.decorators</span> <span>import</span> <span>login_required</span> <span>from</span> <span>django.shortcuts</span> <span>import</span> <span>render</span> <span>@login_required</span> <span>def</span> <span>dashboard</span><span>(</span><span>request</span><span>):</span> <span>return</span> <span>render</span><span>(</span><span>request</span><span>,</span> <span>"</span><span>dashboard.html</span><span>"</span><span>)</span>from django.contrib.auth.decorators import login_required from django.shortcuts import render @login_required def dashboard(request): return render(request, "dashboard.html")
Enter fullscreen mode Exit fullscreen mode
With this, unauthenticated users will be redirected to the login page before accessing the dashboard.
Conclusion
By implementing user-record mapping and view protection, you can prevent unauthorized access and improve security in your Django applications.
Want to see these concepts in action? Check out my full tutorial on YouTube:
Watch now: https://youtu.be/R63eMdbQBUY
Have questions? Drop a comment on the video, and let’s discuss Django security best practices!
Follow me for more:
LinkedIn
GitHub
YouTube
暂无评论内容