Live Chat

We'll need to share your messages (and your email address if you're logged in) with our live chat provider, Drift. Here's their privacy policy.

If you don't want to do this, you can email us instead at contact@anvil.works.

Quickstart: Permissions

Give users different privileges

Anvil has a built-in user management system that makes login and permissions easy.

Follow this quickstart to check which user is logged in before running certain parts of your app (authorisation).

Create an app

Log in to Anvil and click ‘create app’. Choose the Material Design theme.

Location of the Create App button

Add a login form

Add the Users Service:

The Users Service

Write this code in the __init__ method of Form1:

    anvil.users.login_with_form()

Now run your app, sign up and verify your email (note: you’re only signing up to your own app here!).

(If you want more detail on this step, see the User Login Quickstart)

Check user permissions

In the App Browser, click the + next to Server Modules to add a new Server Module.

Adding a Server Module in the App Browser

You will see a code editor with a yellow background.

Python code with a yellow background

Write this function into the Server Module:

@anvil.server.callable
def print_my_permissions():
  super_user = 'shaun@anvil.works'
  if anvil.users.get_user() is None:
    print("Nobody is logged in.")
  elif anvil.users.get_user()['email'] == super_user:
    print("%s is allowed to see this." % super_user)
  else:
    print("This path is for minimum-access users.")

Change super_user to the email address you signed up to your app with.

Call your server function

Now go to the code for Form1 and add this line to the end of the __init__ method:

    anvil.server.call('print_my_permissions')

It calls your server function from the client.

Check that it works

Run your app and log in. You will see this in the Output Panel:

Output Panel showing a message that reads 'shaun@anvil.works is allowed to see this', with a yellow background to indicate that it came from a Server Module.

Sign up with a different email address (or just put some dummy data directly into the Users table). You will see This path is for minimum-access users in the Output Panel. To get the Nobody is logged in message, you have to reach that if statement with nobody logged in - comment out the anvil.users.login_with_form() line to achieve that.

User authorisation tips

That’s a quick introduction to user authorisation in Anvil. You will usually manage user permissions with if statements like the one in this quickstart.

Guaranteeing Security

As a general rule, you should check user permissions in Server Modules rather than in client code. Any code running in a browser can be manipulated by the user - that goes for any web app, not just Anvil. Code in an Anvil Server Module is protected by industry-standard security best practice, so your permissions checks there are guaranteed to be honoured.

You can also run anvil.users.get_user() on your own machine(s) using the Uplink, which of course can be just as secure as a Server Module (since you manage it, that’s up to you).

User roles

Often, you want to assign a role to each user and check your user’s role when deciding what to grant them access to. This can be achieved by adding a Text column to the Users Data Table called something like role, then checking this column when performing authorisation. The code from this example would be something like:

    admin_role = "admin"
    if anvil.users.get_user() is None:
      print("Nobody is logged in.")
    elif anvil.users.get_user()['role'] == admin_role:
      print("Users with role '%s' are allowed to see this." % admin_role)
    else:
      print("This path is for minimum-access users.")

Copy the example app

Click on the button below to clone a finished version of this app into your account.

Next up

Want more depth on this subject?

Read more about User authentication and authorisation.

Want another quickstart?

Every quickstart is on the Quickstarts page.