Reputation: 66370
How to limit a view to superuser only?
view.py
@login_required
@permission_required('is_superuser')
def score_reset(request):
pass
url.py
url(r'^score-reset/$', score_reset, name='score-reset'),
I have the following code and to my surprise I still hit the function, despite being logged in with a non superuser. I was expecting to get a permission denied.
What am I missing?
Upvotes: 34
Views: 27838
Answers (6)
Reputation: 161
SuperuserRequiredMixin
Another permission-based mixin. This is specifically for requiring a user to be a superuser. Comes in handy for tools that only privileged users should have access to.
First install: pip install django-braces
views.py
from braces.views import LoginRequiredMixin, SuperuserRequiredMixin
class SomeSuperuserView(LoginRequiredMixin, SuperuserRequiredMixin, TemplateView):
template_name = "path/to/template.html"
Upvotes: 0
Reputation: 6565
Make use of Django's UserPassesTestMixin
Create a custom mixin SuperuserRequiredMixin
#mixins.py
from django.contrib.auth.mixins import UserPassesTestMixin
class SuperuserRequiredMixin(UserPassesTestMixin):
def test_func(self):
return self.request.user.is_superuser
Usage
class SomeSuperUserOnlyView(SuperuserRequiredMixin, ListView):
form_class = ExamForm
template_name = 'exam/newexam.html'
Upvotes: 6
Reputation: 2478
You can use the user passes test decorator to restrict access any way you want. Here is a restriction based on user email example:
from django.contrib.auth.decorators import user_passes_test
def email_check(user):
x = False
if user.email == 'anyemailhere':
x = True
return x
# Create your views here.
@user_passes_test(email_check)
def dash_index(request):
...
More here https://docs.djangoproject.com/en/2.1/topics/auth/default/#the-permission-required-decorator
Upvotes: 1
Reputation: 2986
Above answers seems to be for very early versions of django. They are bit complicated than for the more later version
for django 1.11 here is a bit similar but simpler strategy.
views.py
from django.contrib.auth.decorators import login_required
@login_required
def some_view(request):
if request.user.is_superuser:
//allow access only to superuser
return render(request, 'app/template1.html', args)
else:
//allow access only to user
return render(request, 'app/template2.html', args)
Upvotes: 7
Reputation: 91
@user_passes_test is not an elegant solution if you want to perform this check on many views. You can easily write your own decorathor having for example @staff_member_require.
Here you can see one of the possible solutions.
Upvotes: 2
Reputation: 54000
is_superuser isn't a permission, it's an attribute on the user model. Django already has another decorator you can make use of called user_passes_test to perform this check:
from django.contrib.auth.decorators import user_passes_test
@user_passes_test(lambda u: u.is_superuser)
def score_reset(self,...):
...
Upvotes: 63
Related Questions
- superuser authenticate in class based view
- Django check if superuser in class-based view
- How to restrict view in Django from other users?
- Filter only normal users not staff or superusers in Django
- Restricting whole django app to the normal users
- Want to Authenticate only Superuser
- How can I restrict access to a view to only super users in Django
- allowing only super user login
- how to limit number of super user in django
- Restrict Django admin to only allow super-users