28

view.py

@login_required
@permission_required('is_superuser')
def score_reset(request):
   pass

url.py

url(r'^score-reset/$', score_reset, name='score-reset'),    

I have the following code and to my surprise I still hit the function, despite being logged in with a non superuser. I was expecting to get a permission denied.

What am I missing?

4

6 回答 6

56

is_superuser isn't a permission, it's an attribute on the user model. Django already has another decorator you can make use of called user_passes_test to perform this check:

from django.contrib.auth.decorators import user_passes_test

@user_passes_test(lambda u: u.is_superuser)
def score_reset(self,...):
    ...
于 2013-04-14T11:48:16.500 回答
7

以上答案似乎适用于非常早期的 django 版本。它们比更新的版本有点复杂

对于 django 1.11,这里有点类似但更简单的策略。

视图.py

from django.contrib.auth.decorators import login_required

@login_required
def some_view(request):
if request.user.is_superuser:
    //allow access only to superuser
    return render(request, 'app/template1.html', args)
else:
    //allow access only to user
    return render(request, 'app/template2.html', args)
于 2017-12-07T07:18:43.280 回答
2

如果您想对许多视图执行此检查,@user_passes_test 不是一个优雅的解决方案。您可以轻松编写自己的装饰器,例如 @staff_member_require。

在这里,您可以看到一种可能的解决方案。

于 2017-09-20T09:33:57.673 回答
2

使用 Django 的UserPassesTestMixin

创建自定义混合SuperuserRequiredMixin

#mixins.py
from django.contrib.auth.mixins import UserPassesTestMixin

class SuperuserRequiredMixin(UserPassesTestMixin):
    def test_func(self):
        return self.request.user.is_superuser

用法

class SomeSuperUserOnlyView(SuperuserRequiredMixin, ListView):
    form_class = ExamForm
    template_name = 'exam/newexam.html'
于 2020-12-08T12:07:12.030 回答
1

您可以使用用户通过测试装饰器以您想要的任何方式限制访问。这是基于用户电子邮件示例的限制:

from django.contrib.auth.decorators import user_passes_test

def email_check(user):
    x = False
    if user.email == 'anyemailhere':
        x = True
    return x

# Create your views here.
@user_passes_test(email_check)
def dash_index(request):
    ...

更多在这里https://docs.djangoproject.com/en/2.1/topics/auth/default/#the-permission-required-decorator

于 2019-01-14T07:26:53.807 回答
0

SuperuserRequiredMixin

另一个基于权限的 mixin。这专门用于要求用户成为超级用户。对于只有特权用户才能访问的工具非常有用。

第一次安装:pip install django-braces

视图.py

from braces.views import LoginRequiredMixin, SuperuserRequiredMixin


class SomeSuperuserView(LoginRequiredMixin, SuperuserRequiredMixin, TemplateView):
    template_name = "path/to/template.html"
于 2021-01-11T06:07:31.177 回答