Authentication for class based views in Django

Question

class AdminView(generic.ListView):
    model = get_user_model()
    fields = ['first_name', 'username', 'is_active']
    template_name = 'users/admin.html'

class AdminUpdateView(UpdateView):
    model = get_user_model()
    fields = ['is_active']
    template_name = 'users/user_update.html'
    success_url = reverse_lazy('users:admin')

There are two views in django which I have created and I want them to be accessed only when the admin/staff logins. How do I go about it?

I tried using method_decorator but how to create a custom decorator to be passed inside it? Like login_required is already there. — Aman Sharma
– Aman Sharma, Commented Jul 11, 2018 at 11:44

willeM_ Van Onsem · Accepted Answer · 2023-10-05 16:38:13Z

19

You can use the UserPassesTestMixin ^[Django-doc] and LoginRequiredMixin ^[Django-doc] mixins, and specify as condition that the user should be an is_superuser. Since you need these twice, we can make first a composite mixin:

from django.contrib.auth.mixins import LoginRequiredMixin, UserPassesTestMixin

class AdminStaffRequiredMixin(LoginRequiredMixin, UserPassesTestMixin):
    
    def test_func(self):
        return self.request.user.is_superuser or self.request.user.is_staff

Next you can add the mixin to your class-based views:

class AdminView(AdminStaffRequiredMixin, generic.ListView):
    model = get_user_model()
    fields = ['first_name', 'username', 'is_active']
    template_name = 'users/admin.html'

class AdminUpdateView(AdminStaffRequiredMixin, UpdateView):
    model = get_user_model()
    fields = ['is_active']
    template_name = 'users/user_update.html'
    success_url = reverse_lazy('users:admin')

edited Oct 5, 2023 at 16:38

answered Jul 11, 2018 at 11:45

willeM_ Van Onsem

482k33 gold badges483 silver badges624 bronze badges

Sign up to request clarification or add additional context in comments.

5 Comments

Aman Sharma Over a year ago

So LoginRequiredMixin is inherited so that one can set the login_url if the test in UserPassesTestMixin is not passed, right?

willeM_ Van Onsem Over a year ago

@AmanSharma: indeed, this will also first check if the user is logged in (since techhnically it is for example possible that your know the user, but that user is not logged in, if you "change" the login procedure).

Abishek Over a year ago

@WillemVanOnsem I get 'django.core.exceptions.PermissionDenied' when I try your method. However, the solution works! How to get rid of the error?

willeM_ Van Onsem Over a year ago

@abicrazieeee: you can set the raise_exception attribute to raise_exception = False. See ccbv.co.uk/projects/Django/1.11/django.contrib.auth.mixins/… how the mixin is implemented.

Abishek Over a year ago

@WillemVanOnsem Setting raise_exception = False in my class based view doesn't work. I had to implement a handle_no_permission method in my class and return a custom HTTP response. I'm not sure if that's the right way to do it.

neverwalkaloner · Accepted Answer · 2018-07-11 11:44:27Z

2

You can use UserPassesTestMixin:

from django.contrib.auth.mixins import UserPassesTestMixin

class AdminView(UserPassesTestMixin, generic.ListView):
    model = get_user_model()
    fields = ['first_name', 'username', 'is_active']
    template_name = 'users/admin.html'

    def test_func(self):
        return self.request.user.is_staff or self.request.user.is_superuser

answered Jul 11, 2018 at 11:44

neverwalkaloner

47.6k7 gold badges101 silver badges103 bronze badges

3 Comments

Abishek Over a year ago

I get 'django.core.exceptions.PermissionDenied' when I try your method. However, the solution works! How to get rid of the error?

neverwalkaloner Over a year ago

@abicrazieeee not sure, probably user is not staff or superuser?

Abishek Over a year ago

The user is a superuser. I had to implement a handle_no_permission method in my class and return a custom HTTP response to get rid of the error tho.

Diego Vinícius · Accepted Answer · 2018-07-11 12:11:57Z

Use decorators, with @login_required you can tell this views will be only accesseed when user os logged in, you can pass parameters to it too or create one your own to validate if the logged user on the request can see or no your view

With Login Required

from django.contrib.auth.decorators import login_required

@login_required(login_url='/accounts/login/')
class AdminView(generic.ListView):
    ...

@login_required(login_url='/accounts/login/')
class AdminUpdateView(UpdateView):
    ...

https://docs.djangoproject.com/en/2.0/topics/auth/default/#the-login-required-decorator

With Permission

from django.contrib.auth.decorators import permission_required

@permission_required('user.is_staff')
def my_view(request):
    ...

https://docs.djangoproject.com/en/2.0/topics/auth/default/#the-permission-required-decorator

KKMurerwa · Accepted Answer · 2020-07-14 14:33:58Z

If you want to use the LoginRequiredMixin, you still can. And it is much simpler. Just extend the LoginRequiredMixin in all you classes so that they are like this.

class AdminView(LoginRequiredMixin, generic.ListView):
    model = get_user_model()
    fields = ['first_name', 'username', 'is_active']
    template_name = 'users/admin.html'

class AdminUpdateView(LoginRequiredMixin, UpdateView):
    model = get_user_model()
    fields = ['is_active']
    template_name = 'users/user_update.html'
    success_url = reverse_lazy('users:admin')

This ensures that the user is already logged in before allowing any operations. Then, check if the user is an admin by adding the following code to each of the classes;

def dispatch(self, request, *args, **kwargs):
    if not self.request.user.is_staff:
        raise PermissionDenied
    return super().dispatch(request, *args, **kwargs)

Your code should now look like this:

class AdminView(LoginRequiredMixin, generic.ListView):
    model = get_user_model()
    fields = ['first_name', 'username', 'is_active']
    template_name = 'users/admin.html'

    def dispatch(self, request, *args, **kwargs):
        if not self.request.user.is_staff:
            raise PermissionDenied
        return super().dispatch(request, *args, **kwargs)

class AdminUpdateView(LoginRequiredMixin, UpdateView):
    model = get_user_model()
    fields = ['is_active']
    template_name = 'users/user_update.html'
    success_url = reverse_lazy('users:admin')

    def dispatch(self, request, *args, **kwargs):
        if not self.request.user.is_staff:
            raise PermissionDenied
        return super().dispatch(request, *args, **kwargs)

mousetail · Accepted Answer · 2021-02-09 09:52:56Z

0

You can use IsAdminUser permission by rest framework

from rest_framework import permissions

class AdminView(generic.ListView):
    permission_classes = (permissions.IsAdminUser, )
    ...

edited Feb 9, 2021 at 9:52

mousetail

8,1696 gold badges31 silver badges53 bronze badges

answered Feb 9, 2021 at 6:37

Mirjahon Mirsaidov

1

Collectives™ on Stack Overflow

Authentication for class based views in Django

5 Answers 5

5 Comments

3 Comments

Comments

Comments

Comments

Your Answer

Hot Network Questions

Collectives™ on Stack Overflow

5 Answers 5

5 Comments

3 Comments

Comments

Comments

Comments

Your Answer

Sign up or log in

Post as a guest

Related