In my Django project, I want to restrict a page depending on if they have an access level of 100, 200, etc. I tried making a wrapper for this like login_required, however I'm not sure how to access the user model. Any advice?
Example:
def required_access(access):
if access <= user.access:
print 'The user can access this page, their access level is greater than or equal to whats required.'
else:
print 'This page cannot be viewed, their access level is too low.'
#login_required
#required_access(300)
def foo(request):
return render(request, 'bar.html', {})
Python decorators have access to the wrapped functions arguments.
With this knowledge we could alter our decorator like so, to have access to the request.user object. This is assuming the first argument to my_view() will always be the request object.
def required_access(access=None):
def wrap(func):
def inner(*args, **kwargs):
if access <= args[0].user.access:
print 'The user can access this page, their access level is greater than or equal to whats required.'
else:
print 'This page cannot be viewed, their access level is too low.'
return func(*args, **kwargs)
return inner
return wrap
#login_required
#required_access(access=300)
def foo(request):
return render(request, 'bar.html', {})
Try this..
https://docs.djangoproject.com/en/1.7/topics/auth/default/#limiting-access-to-logged-in-users-that-pass-a-test
from django.contrib.auth.decorators import user_passes_test
def email_check(user):
return user.email.endswith('#example.com')
#user_passes_test(email_check)
def my_view(request):
[...]
Related
In the get_object method of class views, can I direct the user to a template instead of returning the object if an if statement fails?
Currently raise Http404("Some message.") works good but it doesn't look nice, I want to use my own template.
I'm trying to do this but with templates:
def get_object(self):
product = Product.objects.get(slug=self.kwargs.get('slug'))
if product.deleted == False:
if product.out_of_stock == False:
return product
else:
raise Http404("This product is sold out.")
# return reverse("404-error", kwargs={"error": "sold-out"})
# return render(request, "custom_404.html", {"error": "sold_out"})
else:
raise Http404("This product is no longer available.")
# return reverse("404-error", kwargs={"error": "deleted"})
# return render(request, "custom_404.html", {"error": "deleted"})
My main goal is to just avoid getting the object. I know I can perform the if statement in the get_context_data method, however I wasn't sure for objects containing sensitive data if there would be any way for a user to access it once it's in the get_object, so I just wanted to avoid getting the object altogether if the condition fails and display a template to the user.
You can use your own view when a 404 error occurs, first create a custom view:
views
from django.shortcuts import render
def handler404(request, *args, **kwargs):
return render(request, template_name='custom_404.html', status=404)
Now you need to override the default 404 view, adds this in your main urls.py file:
urls.py
handler404 = 'appname.views.handler404' # Replaces appname with the name of the app that contains the custom view
Now you can simply raise a Http404 exception to show your custom template (you can keep your actual code).
Hi so I have a working view. I wanted to know if this is the best or a good way of doing it. I want to have a delete view that deletes a Photo object but only if the logged in user is the on associated with the object.
Here is my views.py
class PhotoDelete(DeleteView):
model = Photo
template_name = 'otologue/photo_delete.html'
success_url = reverse_lazy('otologue:photos')
def get(self, request, *args, **kwargs):
object_instance = self.get_object() # Get the object
object_user = object_instance.photoextended.user # Get the user who owns the object
user = get_object_or_404(User, username=self.request.user) # Get the user in the view
if object_user != user: # See if the object_user is the same as the user
return HttpResponseForbidden('Permission Error')
else:
return render(request, self.template_name, {'object': object_instance})
#method_decorator(login_required)
def dispatch(self, *args, **kwargs):
return super().dispatch(*args, **kwargs)
If you need more info like the models and such, please request it.
You don't have to call get_object_or_404(), since self.request.user already contains an instance of User, so you can compare it directly.
You should call (and return the result) DeleteView's get() method instead of rendering the template yourself.
I would also use LoginRequiredMixin instead of a decorator, since your dispatch() now does nothing apart from calling super's method.
Be aware, that the actual deletion is done in the post() method. You should move your user check to the dispatch() method, otherwise it will be possible to bypass the check with a forged POST request.
To have better idea what DeleteView does in its methods, check it's source code (for example at ccbv.co.uk)
I have specific subjects related with specific users in my application. How to limit their access to just their subjects?
I have idea to use like
usersub = get_object_or_404(UserSubject, user=request.user, subject=subject)
If there is no relation, it will throw 404 error. But is there any other way to complete it with user_passes_test decorator?
Well, you can use exists
if UserSubject.objects.filter(user=request.user, subject=subject).exists():
# what you want to do
else:
# do something else
or just filter
usersub = UserSubject.objects.filter(user=request.user, subject=subject)
if usersub:
# do something
else:
# do something else
Those will make your check but will not raise an Exception or return a Http404.
Update: You must write your own decorator, since user_passes_test can nor handle your situation. Here is an example decorator:
from django.http import HttpResponseForbidden
def subject_test(f, subject):
def test_user_for_subject(request, subject, *args, **kwargs):
if not UserSubject.objects.filter(user=request.user, subject=subject).exists():
retun HttpResponseForbidden('Access denied!')
else:
return f(request, *args, **kwargs)
return test_user_for_subject
An in your views :
#subject_test('your subject here')
def your_view_is_in_here(request):
...
But the hard part is, you must pass all your filter arguments unless they are reachable from request
Lets just suppose that we have following url:
example.com/users/1
if user with ID=1 opens it, user receive info about his account, but if user switch 1 with 2, then he can view other user details as well, and we of course do not want that, so I have following solutions:
1) just pass currently logged in user id threw request.user.id inside a template
2) add permission, but I did not find type of permissions that would allow me to do that. Of course I could create dozens of permissions each for each user, but of course that is very nasty way.
Any other ideas how to cope with that in Django?
You can either fill context with the request which makes sure the user will never see another user's data, e.g. (using CBVs):
class AccountView(TemplateView):
"""
Generic account view
"""
template_name = "users/account.html"
def get_context_data(self, **kwargs):
context = super(AccountView, self).get_context_data(**kwargs)
context['user'] = User.objects.get(id=self.request.user.id)
return context
#method_decorator(login_required(login_url=reverse('login')))
def dispatch(self, *args, **kwargs):
return super(AccountView, self).dispatch(*args, **kwargs)
Another approach, to make sure 'fake' urls render 404's is to write an owner_required decorator, e.g.:
def owner_required(function):
#wraps(function)
def decorator(*args, **kwargs):
request = args[1]
user = get_object_or_404(User, username=request.user.username)
if user.is_authenticated() and user.username == kwargs.get('slug'):
return function(*args, **kwargs)
raise Http404
return decorator
You don't need permission to do this.
In your views.py
from django.http import Http404
def myview(request, user_id):
user = request.user
if user_id != request.user.id:
raise Http404
#all your logic here
But if you want user profile to be private, you don't need to use user_id in your url pattern. just use the user object stored in the request variable.
I want to redirect access of unauthenticated users to the login page, after which the logged-in user should be redirected to the originally requested page.
According to documentation, this is easily achieved using the #user_passes_test decorator. But it seems I'd have to decorate every view, which is crazy, there are too many and it's error-prone.
What is a good way to turn on this functionality globally (except for a small fixed set of views, such as login)? That is, default everything to logged-in-only + handle anonymous viewing explicitly, where needed.
from django.shortcuts import redirect
from django.conf import settings
class LoginRequiredMiddleware:
def __init__(self, get_response):
self.get_response = get_response
self.login_url = settings.LOGIN_URL
self.open_urls = [self.login_url] + \
getattr(settings, 'OPEN_URLS', [])
def __call__(self, request):
if not request.user.is_authenticated \
and not request.path_info in self.open_urls:
return redirect(self.login_url+'?next='+request.path)
return self.get_response(request)
have a look at middleware. these are functions run at various points in the request cycle, e.g. before each view is called.
since you may want to exclude certain views from this, i'd look at e.g. how the csrf middleware works, together with the csrf_exempt decorator.
see [SOURCE]/django/views/decorators/csrf.py and [SOURCE]/django/middleware/csrf.py
The way I solved this, was to have mixin class, with the decorator (or whatever code you need). Although you have to remember to call the super(Class, self).get(...) function, so I guess it's not so different after all.
On the other hand, having a set of mixins that does different things I found was quite good at getting a very simple view to do a lot without much code.
Edit
This is how I did in my last project:
class BaseAuthMixin(object):
def auth_check(self, user):
return True
def dispatch(self, request, *args, **kwargs):
if not self.auth_check(request.user):
from django.http import HttpResponseRedirect
from django.contrib.auth import logout
is_web = False
is_live = False
if hasattr(self, 'get_url_name'):
from django.core.urlresolvers import reverse
from django.core.urlresolvers import NoReverseMatch
try:
next = reverse(self.get_url_name(), kwargs=kwargs)
except NoReverseMatch:
next = ''
else:
next= '?next=' + next
logout(request)
redirect_url = settings.LOGIN_URL
redirect_url += next
return HttpResponseRedirect(redirect_url)
else:
return super(BaseAuthMixin, self).dispatch(request, *args, **kwargs)
class LoginRequiredMixin(BaseAuthMixin):
"""
Check if the view needs the user to be logged in.
"""
def auth_check(self, user):
if not super(LoginRequiredMixin, self).auth_check(user):
return False
else:
if hasattr(self, 'login_required'):
if self.login_required and not user.is_authenticated():
return False
return True
class MyDefaultMixin(LoginRequiredMixin):
"""
Mixin that inherits from all common view mixins.
"""
pass
The above is then used by the view-classes (I used Django 1.3 with class-based views):
from django.views.generic import TemplateView
class SomeViewClass(TemplateView, MyDefaultMixin):
# Used by 'LoginRequiredMixin' to check if a user has to be logged in
login_required = True
# Template for the Django TemplateView
template_name = "some_view_template.html"
You need a view to handle the login (with URL in settings.LOGIN_URL), containing a form with a hidden field called next. This field has to be set by a context variable to the page to go to after successful login.
If all views inherit from the base mixin (MyDefaultMixin in my code above), it will automatically check that the user is logged in iv the view contain an attribute called login_required and that is set to True.
There might be better ways to do this, but this is what I did and it worked very well.