django - How to limit a view to superuser only?

Question

view.py

@login_required
@permission_required('is_superuser')
def score_reset(request):
   pass

url.py

url(r'^score-reset/$', score_reset, name='score-reset'),

I have the following code and to my surprise I still hit the function, despite being logged in with a non superuser. I was expecting to get a permission denied.

What am I missing?

score 56 · Accepted Answer

is_superuser isn't a permission, it's an attribute on the user model. Django already has another decorator you can make use of called user_passes_test to perform this check:

from django.contrib.auth.decorators import user_passes_test

@user_passes_test(lambda u: u.is_superuser)
def score_reset(self,...):
    ...

score 7 · Accepted Answer

以上答案似乎适用于非常早期的 django 版本。它们比更新的版本有点复杂

对于 django 1.11，这里有点类似但更简单的策略。

视图.py

from django.contrib.auth.decorators import login_required

@login_required
def some_view(request):
if request.user.is_superuser:
    //allow access only to superuser
    return render(request, 'app/template1.html', args)
else:
    //allow access only to user
    return render(request, 'app/template2.html', args)

score 2 · Accepted Answer

如果您想对许多视图执行此检查，@user_passes_test 不是一个优雅的解决方案。您可以轻松编写自己的装饰器，例如 @staff_member_require。

在这里，您可以看到一种可能的解决方案。

score 2 · Accepted Answer

使用 Django 的UserPassesTestMixin

创建自定义混合SuperuserRequiredMixin

#mixins.py
from django.contrib.auth.mixins import UserPassesTestMixin

class SuperuserRequiredMixin(UserPassesTestMixin):
    def test_func(self):
        return self.request.user.is_superuser

用法

class SomeSuperUserOnlyView(SuperuserRequiredMixin, ListView):
    form_class = ExamForm
    template_name = 'exam/newexam.html'

score 1 · Accepted Answer

您可以使用用户通过测试装饰器以您想要的任何方式限制访问。这是基于用户电子邮件示例的限制：

from django.contrib.auth.decorators import user_passes_test

def email_check(user):
    x = False
    if user.email == 'anyemailhere':
        x = True
    return x

# Create your views here.
@user_passes_test(email_check)
def dash_index(request):
    ...

更多在这里https://docs.djangoproject.com/en/2.1/topics/auth/default/#the-permission-required-decorator

score 0 · Accepted Answer

SuperuserRequiredMixin

另一个基于权限的 mixin。这专门用于要求用户成为超级用户。对于只有特权用户才能访问的工具非常有用。

第一次安装：pip install django-braces

视图.py

from braces.views import LoginRequiredMixin, SuperuserRequiredMixin


class SomeSuperuserView(LoginRequiredMixin, SuperuserRequiredMixin, TemplateView):
    template_name = "path/to/template.html"

django - How to limit a view to superuser only?

6 回答 6

Related

Reference