Best way to make Django's login_required the default
Question:
I’m working on a large Django app, the vast majority of which requires a login to access. This means that all throughout our app we’ve sprinkled:
@login_required
def view(...):
That’s fine, and it works great as long as we remember to add it everywhere! Sadly sometimes we forget, and the failure often isn’t terribly evident. If the only link to a view is on a @login_required page then you’re not likely to notice that you can actually reach that view without logging in. But the bad guys might notice, which is a problem.
My idea was to reverse the system. Instead of having to type @login_required everywhere, instead I’d have something like:
@public
def public_view(...):
Just for the public stuff. I tried to implement this with some middleware and I couldn’t seem to get it to work. Everything I tried interacted badly with other middleware we’re using, I think. Next up I tried writing something to traverse the URL patterns to check that everything that’s not @public was marked @login_required – at least then we’d get a quick error if we forgot something. But then I couldn’t figure out how to tell if @login_required had been applied to a view…
So, what’s the right way to do this? Thanks for the help!
Answers:
You can’t really win this. You simply must make a declaration of the authorization requirements. Where else would you put this declaration except right by the view function?
Consider replacing your view functions with callable objects.
class LoginViewFunction( object ):
def __call__( self, request, *args, **kw ):
p1 = self.login( request, *args, **kw )
if p1 is not None:
return p1
return self.view( request, *args, **kw )
def login( self, request )
if not request.user.is_authenticated():
return HttpResponseRedirect('/login/?next=%s' % request.path)
def view( self, request, *args, **kw ):
raise NotImplementedError
You then make your view functions subclasses of LoginViewFunction.
class MyRealView( LoginViewFunction ):
def view( self, request, *args, **kw ):
.... the real work ...
my_real_view = MyRealView()
It doesn’t save any lines of code. And it doesn’t help the “we forgot” problem. All you can do is examine the code to be sure that the view functions are objects. Of the right class.
But even then, you’ll never really know that every view function is correct without a unit test suite.
Middleware may be your best bet. I’ve used this piece of code in the past, modified from a snippet found elsewhere:
import re
from django.conf import settings
from django.contrib.auth.decorators import login_required
class RequireLoginMiddleware(object):
"""
Middleware component that wraps the login_required decorator around
matching URL patterns. To use, add the class to MIDDLEWARE_CLASSES and
define LOGIN_REQUIRED_URLS and LOGIN_REQUIRED_URLS_EXCEPTIONS in your
settings.py. For example:
------
LOGIN_REQUIRED_URLS = (
r'/topsecret/(.*)$',
)
LOGIN_REQUIRED_URLS_EXCEPTIONS = (
r'/topsecret/login(.*)$',
r'/topsecret/logout(.*)$',
)
------
LOGIN_REQUIRED_URLS is where you define URL patterns; each pattern must
be a valid regex.
LOGIN_REQUIRED_URLS_EXCEPTIONS is, conversely, where you explicitly
define any exceptions (like login and logout URLs).
"""
def __init__(self):
self.required = tuple(re.compile(url) for url in settings.LOGIN_REQUIRED_URLS)
self.exceptions = tuple(re.compile(url) for url in settings.LOGIN_REQUIRED_URLS_EXCEPTIONS)
def process_view(self, request, view_func, view_args, view_kwargs):
# No need to process URLs if user already logged in
if request.user.is_authenticated():
return None
# An exception match should immediately return None
for url in self.exceptions:
if url.match(request.path):
return None
# Requests matching a restricted URL pattern are returned
# wrapped with the login_required decorator
for url in self.required:
if url.match(request.path):
return login_required(view_func)(request, *view_args, **view_kwargs)
# Explicitly return None for all non-matching requests
return None
Then in settings.py, list the base URLs you want to protect:
LOGIN_REQUIRED_URLS = (
r'/private_stuff/(.*)$',
r'/login_required/(.*)$',
)
As long as your site follows URL conventions for the pages requiring authentication, this model will work. If this isn’t a one-to-one fit, you may choose to modify the middleware to suit your circumstances more closely.
What I like about this approach – besides removing the necessity of littering the codebase with @login_required decorators – is that if the authentication scheme changes, you have one place to go to make global changes.
It’s hard to change the built-in assumptions in Django without reworking the way url’s are handed off to view functions.
Instead of mucking about in Django internals, here’s an audit you can use. Simply check each view function.
import os
import re
def view_modules( root ):
for path, dirs, files in os.walk( root ):
for d in dirs[:]:
if d.startswith("."):
dirs.remove(d)
for f in files:
name, ext = os.path.splitext(f)
if ext == ".py":
if name == "views":
yield os.path.join( path, f )
def def_lines( root ):
def_pat= re.compile( "n(S.*)n+(^defs+.*:$)", re.MULTILINE )
for v in view_modules( root ):
with open(v,"r") as source:
text= source.read()
for p in def_pat.findall( text ):
yield p
def report( root ):
for decorator, definition in def_lines( root ):
print decorator, definition
Run this and examine the output for defs without appropriate decorators.
There is an alternative to putting a decorator on each view function. You can also put the login_required() decorator in the urls.py file.
While this is still a manual task, at least you have it all in one place, which makes it easier to audit.
e.g.,
from my_views import home_view
urlpatterns = patterns('',
# "Home":
(r'^$', login_required(home_view), dict(template_name='my_site/home.html', items_per_page=20)),
)
Note that view functions are named and imported directly, not as strings.
Also note that this works with any callable view object, including classes.
Inspired by Ber’s answer I wrote a little snippet that replaces the patterns function, by wrapping all of the URL callbacks with the login_required decorator. This works in Django 1.6.
def login_required_patterns(*args, **kw):
for pattern in patterns(*args, **kw):
# This is a property that should return a callable, even if a string view name is given.
callback = pattern.callback
# No property setter is provided, so this will have to do.
pattern._callback = login_required(callback)
yield pattern
Using it works like this (the call to list is required because of the yield).
urlpatterns = list(login_required_patterns('', url(r'^$', home_view)))
Here is a middleware solution for django 1.10+
The middlewares in have to be written in a new way in django 1.10+.
Code
import re
from django.conf import settings
from django.contrib.auth.decorators import login_required
class RequireLoginMiddleware(object):
def __init__(self, get_response):
# One-time configuration and initialization.
self.get_response = get_response
self.required = tuple(re.compile(url)
for url in settings.LOGIN_REQUIRED_URLS)
self.exceptions = tuple(re.compile(url)
for url in settings.LOGIN_REQUIRED_URLS_EXCEPTIONS)
def __call__(self, request):
response = self.get_response(request)
return response
def process_view(self, request, view_func, view_args, view_kwargs):
# No need to process URLs if user already logged in
if request.user.is_authenticated:
return None
# An exception match should immediately return None
for url in self.exceptions:
if url.match(request.path):
return None
# Requests matching a restricted URL pattern are returned
# wrapped with the login_required decorator
for url in self.required:
if url.match(request.path):
return login_required(view_func)(request, *view_args, **view_kwargs)
# Explicitly return None for all non-matching requests
return None
Installation
- Copy the code into your project folder, and save as middleware.py
-
Add to MIDDLEWARE
MIDDLEWARE = [
…
‘.middleware.RequireLoginMiddleware’, # Require login
]
- Add to your settings.py:
LOGIN_REQUIRED_URLS = (
r'(.*)',
)
LOGIN_REQUIRED_URLS_EXCEPTIONS = (
r'/admin(.*)$',
)
LOGIN_URL = '/admin'
Sources:
-
This answer by Daniel Naab
-
Django Middleware tutorial by Max Goodridge
-
Would be possible to have a single starting point for all the urls in a sort of include and that decorate it using this packages https://github.com/vorujack/decorate_url.
In Django 2.1, we can decorate all methods in a class with:
from django.contrib.auth.decorators import login_required
from django.utils.decorators import method_decorator
from django.views.generic import TemplateView
@method_decorator(login_required, name='dispatch')
class ProtectedView(TemplateView):
template_name = 'secret.html'
UPDATE:
I have also found the following to work:
from django.contrib.auth.mixins import LoginRequiredMixin
from django.views.generic import TemplateView
class ProtectedView(LoginRequiredMixin, TemplateView):
template_name = 'secret.html'
and set LOGIN_URL = '/accounts/login/' in your settings.py
There’s an app that provides a plug-and-play solution to this:
https://github.com/mgrouchy/django-stronghold
pip install django-stronghold
# settings.py
INSTALLED_APPS = (
#...
'stronghold',
)
MIDDLEWARE_CLASSES = (
#...
'stronghold.middleware.LoginRequiredMiddleware',
)
As of Django 3+, you can change the default like the followings:
Step 1: Create a new file anything.py in your yourapp directory and write the following:
import re
from django.conf import settings
from django.contrib.auth.decorators import login_required
//for registering a class as middleware you at least __init__() and __call__()
//for this case we additionally need process_view() which will be automatically called by Django before rendering a view/template
class ClassName(object):
//need for one time initialization, here response is a function which will be called to get response from view/template
def __init__(self, response):
self.get_response = response
self.required = tuple(re.compile(url) for url in settings.AUTH_URLS)
self.exceptions = tuple(re.compile(url)for url in settings.NO_AUTH_URLS)
def __call__(self, request):
//any code written here will be called before requesting response
response = self.get_response(request)
//any code written here will be called after response
return response
//this is called before requesting response
def process_view(self, request, view_func, view_args, view_kwargs):
//if authenticated return no exception
if request.user.is_authenticated:
return None
//default case, no exception
return login_required(view_func)(request, *view_args, **view_kwargs)
Step 2: Add this anything.py to Middleware[] in project/settings.py like followings
MIDDLEWARE = [
// your previous middleware
'yourapp.anything.ClassName',
]
This is the answer for Newer versions of Django. It works pretty well!
https://pypi.org/project/django-login-required-middleware/
works with:
- Python: 3.6, 3.7, 3.8
- Django: 1.11, 2.0, 2.1, 2.2, 3.x
I’m working on a large Django app, the vast majority of which requires a login to access. This means that all throughout our app we’ve sprinkled:
@login_required
def view(...):
That’s fine, and it works great as long as we remember to add it everywhere! Sadly sometimes we forget, and the failure often isn’t terribly evident. If the only link to a view is on a @login_required page then you’re not likely to notice that you can actually reach that view without logging in. But the bad guys might notice, which is a problem.
My idea was to reverse the system. Instead of having to type @login_required everywhere, instead I’d have something like:
@public
def public_view(...):
Just for the public stuff. I tried to implement this with some middleware and I couldn’t seem to get it to work. Everything I tried interacted badly with other middleware we’re using, I think. Next up I tried writing something to traverse the URL patterns to check that everything that’s not @public was marked @login_required – at least then we’d get a quick error if we forgot something. But then I couldn’t figure out how to tell if @login_required had been applied to a view…
So, what’s the right way to do this? Thanks for the help!
You can’t really win this. You simply must make a declaration of the authorization requirements. Where else would you put this declaration except right by the view function?
Consider replacing your view functions with callable objects.
class LoginViewFunction( object ):
def __call__( self, request, *args, **kw ):
p1 = self.login( request, *args, **kw )
if p1 is not None:
return p1
return self.view( request, *args, **kw )
def login( self, request )
if not request.user.is_authenticated():
return HttpResponseRedirect('/login/?next=%s' % request.path)
def view( self, request, *args, **kw ):
raise NotImplementedError
You then make your view functions subclasses of LoginViewFunction.
class MyRealView( LoginViewFunction ):
def view( self, request, *args, **kw ):
.... the real work ...
my_real_view = MyRealView()
It doesn’t save any lines of code. And it doesn’t help the “we forgot” problem. All you can do is examine the code to be sure that the view functions are objects. Of the right class.
But even then, you’ll never really know that every view function is correct without a unit test suite.
Middleware may be your best bet. I’ve used this piece of code in the past, modified from a snippet found elsewhere:
import re
from django.conf import settings
from django.contrib.auth.decorators import login_required
class RequireLoginMiddleware(object):
"""
Middleware component that wraps the login_required decorator around
matching URL patterns. To use, add the class to MIDDLEWARE_CLASSES and
define LOGIN_REQUIRED_URLS and LOGIN_REQUIRED_URLS_EXCEPTIONS in your
settings.py. For example:
------
LOGIN_REQUIRED_URLS = (
r'/topsecret/(.*)$',
)
LOGIN_REQUIRED_URLS_EXCEPTIONS = (
r'/topsecret/login(.*)$',
r'/topsecret/logout(.*)$',
)
------
LOGIN_REQUIRED_URLS is where you define URL patterns; each pattern must
be a valid regex.
LOGIN_REQUIRED_URLS_EXCEPTIONS is, conversely, where you explicitly
define any exceptions (like login and logout URLs).
"""
def __init__(self):
self.required = tuple(re.compile(url) for url in settings.LOGIN_REQUIRED_URLS)
self.exceptions = tuple(re.compile(url) for url in settings.LOGIN_REQUIRED_URLS_EXCEPTIONS)
def process_view(self, request, view_func, view_args, view_kwargs):
# No need to process URLs if user already logged in
if request.user.is_authenticated():
return None
# An exception match should immediately return None
for url in self.exceptions:
if url.match(request.path):
return None
# Requests matching a restricted URL pattern are returned
# wrapped with the login_required decorator
for url in self.required:
if url.match(request.path):
return login_required(view_func)(request, *view_args, **view_kwargs)
# Explicitly return None for all non-matching requests
return None
Then in settings.py, list the base URLs you want to protect:
LOGIN_REQUIRED_URLS = (
r'/private_stuff/(.*)$',
r'/login_required/(.*)$',
)
As long as your site follows URL conventions for the pages requiring authentication, this model will work. If this isn’t a one-to-one fit, you may choose to modify the middleware to suit your circumstances more closely.
What I like about this approach – besides removing the necessity of littering the codebase with @login_required decorators – is that if the authentication scheme changes, you have one place to go to make global changes.
It’s hard to change the built-in assumptions in Django without reworking the way url’s are handed off to view functions.
Instead of mucking about in Django internals, here’s an audit you can use. Simply check each view function.
import os
import re
def view_modules( root ):
for path, dirs, files in os.walk( root ):
for d in dirs[:]:
if d.startswith("."):
dirs.remove(d)
for f in files:
name, ext = os.path.splitext(f)
if ext == ".py":
if name == "views":
yield os.path.join( path, f )
def def_lines( root ):
def_pat= re.compile( "n(S.*)n+(^defs+.*:$)", re.MULTILINE )
for v in view_modules( root ):
with open(v,"r") as source:
text= source.read()
for p in def_pat.findall( text ):
yield p
def report( root ):
for decorator, definition in def_lines( root ):
print decorator, definition
Run this and examine the output for defs without appropriate decorators.
There is an alternative to putting a decorator on each view function. You can also put the login_required() decorator in the urls.py file.
While this is still a manual task, at least you have it all in one place, which makes it easier to audit.
e.g.,
from my_views import home_view
urlpatterns = patterns('',
# "Home":
(r'^$', login_required(home_view), dict(template_name='my_site/home.html', items_per_page=20)),
)
Note that view functions are named and imported directly, not as strings.
Also note that this works with any callable view object, including classes.
Inspired by Ber’s answer I wrote a little snippet that replaces the patterns function, by wrapping all of the URL callbacks with the login_required decorator. This works in Django 1.6.
def login_required_patterns(*args, **kw):
for pattern in patterns(*args, **kw):
# This is a property that should return a callable, even if a string view name is given.
callback = pattern.callback
# No property setter is provided, so this will have to do.
pattern._callback = login_required(callback)
yield pattern
Using it works like this (the call to list is required because of the yield).
urlpatterns = list(login_required_patterns('', url(r'^$', home_view)))
Here is a middleware solution for django 1.10+
The middlewares in have to be written in a new way in django 1.10+.
Code
import re
from django.conf import settings
from django.contrib.auth.decorators import login_required
class RequireLoginMiddleware(object):
def __init__(self, get_response):
# One-time configuration and initialization.
self.get_response = get_response
self.required = tuple(re.compile(url)
for url in settings.LOGIN_REQUIRED_URLS)
self.exceptions = tuple(re.compile(url)
for url in settings.LOGIN_REQUIRED_URLS_EXCEPTIONS)
def __call__(self, request):
response = self.get_response(request)
return response
def process_view(self, request, view_func, view_args, view_kwargs):
# No need to process URLs if user already logged in
if request.user.is_authenticated:
return None
# An exception match should immediately return None
for url in self.exceptions:
if url.match(request.path):
return None
# Requests matching a restricted URL pattern are returned
# wrapped with the login_required decorator
for url in self.required:
if url.match(request.path):
return login_required(view_func)(request, *view_args, **view_kwargs)
# Explicitly return None for all non-matching requests
return None
Installation
- Copy the code into your project folder, and save as middleware.py
-
Add to MIDDLEWARE
MIDDLEWARE = [
…
‘.middleware.RequireLoginMiddleware’, # Require login
] - Add to your settings.py:
LOGIN_REQUIRED_URLS = (
r'(.*)',
)
LOGIN_REQUIRED_URLS_EXCEPTIONS = (
r'/admin(.*)$',
)
LOGIN_URL = '/admin'
Sources:
-
This answer by Daniel Naab
-
Django Middleware tutorial by Max Goodridge
Would be possible to have a single starting point for all the urls in a sort of include and that decorate it using this packages https://github.com/vorujack/decorate_url.
In Django 2.1, we can decorate all methods in a class with:
from django.contrib.auth.decorators import login_required
from django.utils.decorators import method_decorator
from django.views.generic import TemplateView
@method_decorator(login_required, name='dispatch')
class ProtectedView(TemplateView):
template_name = 'secret.html'
UPDATE:
I have also found the following to work:
from django.contrib.auth.mixins import LoginRequiredMixin
from django.views.generic import TemplateView
class ProtectedView(LoginRequiredMixin, TemplateView):
template_name = 'secret.html'
and set LOGIN_URL = '/accounts/login/' in your settings.py
There’s an app that provides a plug-and-play solution to this:
https://github.com/mgrouchy/django-stronghold
pip install django-stronghold
# settings.py
INSTALLED_APPS = (
#...
'stronghold',
)
MIDDLEWARE_CLASSES = (
#...
'stronghold.middleware.LoginRequiredMiddleware',
)
As of Django 3+, you can change the default like the followings:
Step 1: Create a new file anything.py in your yourapp directory and write the following:
import re
from django.conf import settings
from django.contrib.auth.decorators import login_required
//for registering a class as middleware you at least __init__() and __call__()
//for this case we additionally need process_view() which will be automatically called by Django before rendering a view/template
class ClassName(object):
//need for one time initialization, here response is a function which will be called to get response from view/template
def __init__(self, response):
self.get_response = response
self.required = tuple(re.compile(url) for url in settings.AUTH_URLS)
self.exceptions = tuple(re.compile(url)for url in settings.NO_AUTH_URLS)
def __call__(self, request):
//any code written here will be called before requesting response
response = self.get_response(request)
//any code written here will be called after response
return response
//this is called before requesting response
def process_view(self, request, view_func, view_args, view_kwargs):
//if authenticated return no exception
if request.user.is_authenticated:
return None
//default case, no exception
return login_required(view_func)(request, *view_args, **view_kwargs)
Step 2: Add this anything.py to Middleware[] in project/settings.py like followings
MIDDLEWARE = [
// your previous middleware
'yourapp.anything.ClassName',
]
This is the answer for Newer versions of Django. It works pretty well!
https://pypi.org/project/django-login-required-middleware/
works with:
- Python: 3.6, 3.7, 3.8
- Django: 1.11, 2.0, 2.1, 2.2, 3.x