1

I am going to have probably over 20 views. All of them require the user to authenticate first. Do I have to put @login_required over each one or is there a better way?

https://docs.djangoproject.com/en/1.6/topics/auth/default/#django.contrib.auth.decorators.login_required

broinjc
  • 2,619
  • 4
  • 28
  • 44
  • 2
    There are a few different options described [here](http://stackoverflow.com/questions/2164069/best-way-to-make-djangos-login-required-the-default). Basically, middleware is an option, or putting `login_required` in your `urls.py` to at least keep it in one place. – Alex Apr 30 '14 at 21:45
  • Where would I put that RequireLoginMiddleware code? – broinjc Apr 30 '14 at 21:53
  • Oh wait, https://docs.djangoproject.com/en/1.6/topics/http/middleware/#writing-your-own-middleware – broinjc Apr 30 '14 at 21:56
  • Yep, exactly. Pretty much anywhere, just include the path to it in your `MIDDLEWARE_CLASSES` in your settings. – Alex Apr 30 '14 at 21:57
  • I would like to do something in `urls.py` It seems like it could be a little slicker. I'd like to lock down a whole section. `url(r'^', login_required(include('npage.urls'))),` (which won't work of course since tuples aren't callable) – broinjc Apr 30 '14 at 21:59
  • You could use [django-braces](http://django-braces.readthedocs.org/en/latest/access.html#loginrequiredmixin) It has some useful mixin classes – rlaverde May 01 '14 at 06:39
  • I am very late to the game, but you might check out https://github.com/CleitonDeLima/django-login-required-middleware, it actually works in reverse so that you can make `login_required` the default and then specify those views that **don't** require authentication – jusopi Jul 13 '22 at 20:58

2 Answers2

3

I ended up making a new file in my npage app directory called lockdown.py and pasted the code from this solution:

import re

from django.conf import settings
from django.contrib.auth.decorators import login_required


class RequireLoginMiddleware(object):
    """
    Middleware component that wraps the login_required decorator around
    matching URL patterns. To use, add the class to MIDDLEWARE_CLASSES and
    define LOGIN_REQUIRED_URLS and LOGIN_REQUIRED_URLS_EXCEPTIONS in your
    settings.py. For example:
    ------
    LOGIN_REQUIRED_URLS = (
        r'/topsecret/(.*)$',
    )
    LOGIN_REQUIRED_URLS_EXCEPTIONS = (
        r'/topsecret/login(.*)$',
        r'/topsecret/logout(.*)$',
    )
    ------
    LOGIN_REQUIRED_URLS is where you define URL patterns; each pattern must
    be a valid regex.

    LOGIN_REQUIRED_URLS_EXCEPTIONS is, conversely, where you explicitly
    define any exceptions (like login and logout URLs).
    """
    def __init__(self):
        self.required = tuple(re.compile(url) for url in settings.LOGIN_REQUIRED_URLS)
        self.exceptions = tuple(re.compile(url) for url in settings.LOGIN_REQUIRED_URLS_EXCEPTIONS)

    def process_view(self, request, view_func, view_args, view_kwargs):
        # No need to process URLs if user already logged in
        if request.user.is_authenticated():
            return None

        # An exception match should immediately return None
        for url in self.exceptions:
            if url.match(request.path):
                return None

        # Requests matching a restricted URL pattern are returned
        # wrapped with the login_required decorator
        for url in self.required:
            if url.match(request.path):
                return login_required(view_func)(request, *view_args, **view_kwargs)

        # Explicitly return None for all non-matching requests
        return None

After that in settings.py I added this to MIDDLEWARE_CLASSES...

MIDDLEWARE_CLASSES = (
    # ...
    'npage.lockdown.RequireLoginMiddleware',
)

And of course, these lines to lock the whole site down:

LOGIN_REQUIRED_URLS = (
        r'/(.*)$',
    )
LOGIN_REQUIRED_URLS_EXCEPTIONS = (
    r'/login(.*)$',
    r'/logout(.*)$',
)
Community
  • 1
  • 1
broinjc
  • 2,619
  • 4
  • 28
  • 44
2

As of Django 3+, you have to do like followings:

Step 1: Create a new file anything.py in your yourapp directory and write the following:

import re
from django.conf import settings
from django.contrib.auth.decorators import login_required

//for registering a class as middleware you at least __init__() and __call__()
//for this case we additionally need process_view() which will be automatically called by Django before rendering a view/template

class ClassName(object):
    
    //need for one time initialization, here response is a function which will be called to get response from view/template
    def __init__(self, response):
        self.get_response = response
        self.required = tuple(re.compile(url) for url in settings.AUTH_URLS)
        self.exceptions = tuple(re.compile(url)for url in settings.NO_AUTH_URLS)

    def __call__(self, request):
        //any code written here will be called before requesting response
        response = self.get_response(request)
        //any code written here will be called after response
        return response

    //this is called before requesting response
    def process_view(self, request, view_func, view_args, view_kwargs):
        //if authenticated return no exception
        if request.user.is_authenticated:
            return None
        //if found in allowed exceptional urls return no exception
        for url in self.exceptions:
            if url.match(request.path):
                return None
        //return login_required()
        for url in self.required:
            if url.match(request.path):
                return login_required(view_func)(request, *view_args, **view_kwargs)
        //default case, no exception
        return None

Step 2: Add this anything.py to Middleware[] in project/settings.py like followings

MIDDLEWARE = [
    // your previous middleware
    'yourapp.anything.ClassName',
]

Step 3: Also add the following snippet into project/settings.py

AUTH_URLS = (
    //i am disallowing all url
    r'(.*)',
)
NO_AUTH_URLS = (
    r'/admin(.*)$',
)
Mahbub Alam
  • 368
  • 2
  • 6