Section
3.2.1
Top Level
Sub Level
General
Use the centralized access control mechanism(s) to determine which functions and data to display to the user based on their access rights (i.e., only display what the user is authorized to do). Note that since pages are potentially being shared, access control decisions returning false for a display are not necessarily an attacker attempting to penetrate the application - it may just be a normal user rendering his page.
Django
Django includes a few convenient functions for determining whether or not a user has a certain permission. There is a permission_required
decorator that can be used on views. There are also a few permission-related methods on the User class that can be used in code or in templates.