application users vs database users: django

I was surprised at how little info explaining the differences between an application user and...

I was surprised at how little info explaining the differences between an application user and a database user is out there. This is despite how important it is in understanding how the two relate especially to a newbie developer. Django applications have a section in the settings.py file where database configurations and connection settings are declared. The user declared here is the database user, that is to say, how your database will identify your application. This is because different applications can have access to the same database, but with access restrictions.

In your application code, a model can have users registered or created and stored in the default user model or a custom user model (always use a custom user model). These are the application users. Whenever you interact with your database, it is always the database user declared in the settings.py file (that is the whole of your Django application) that is allowed access to the database. So how do we restrict the actions a user (logged in from our application) can perform? All these restrictions are done in the code. It thus becomes clear how essential it is to enforce permissions and restrict access to serializers and CRUD actions. This is because any leaks or vulnerabilities that are exploited in our code will give access to the database resources.

The database trusts our application (as declared in the settings.py file) and would not know that a breach has occurred in the code to enforce extra measures. Some people prefer to create a database user for every application user created. This will depend on what the needs of the project are. In most cases, a well-designed code that controls access and restrictions both in frontend and backend would be enough. However, there exists architecture to move authenitication and authorization to the database itself but these are advanced sql concepts I'll cover in future.