Opened 8 years ago
Closed 8 years ago
#27483 closed New feature (wontfix)
Add a login_required decorator for AJAX requests
Reported by: | Ramin Farajpour Cami | Owned by: | Ramin Farajpour Cami |
---|---|---|---|
Component: | contrib.auth | Version: | 1.10 |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Unreviewed | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
Hi,
if users use the @login_required
decorator or perform manually a redirect to a form on AJAX request , when an Ajax call is made the user is logged in, here is:
check users,
from functools import wraps from django.core.exceptions import PermissionDenied def ajax_login_required(function): def wrap(request, *args, **kwargs): if request.user.is_authenticated(): return function(request, *args, **kwargs) return PermissionDenied ## or 401 == not authenticated wrap.__doc__ = function.__doc__ wrap.__name__ = function.__name__ return wrap
raise PermissionDenied will cause a 403
status code or 401 Unauthorized
to be returned to the client,
check superusers:
from functools import wraps from django.core.exceptions import PermissionDenied def ajax_admin_required(function): def wrap(request, *args, **kwargs): if request.user.is_authenticated() and request.user.is_superuser: return function(request, *args, **kwargs) return PermissionDenied ## or 401 == not authenticated wrap.__doc__ = function.__doc__ wrap.__name__ = function.__name__ return wrap
Change History (4)
comment:1 by , 8 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
comment:2 by , 8 years ago
comment:3 by , 8 years ago
Thanks,
First :
i think we should have on docs about use @login_required
in request AJAX, i don't see this Note
for AJAX request must developer spoof to use @login_required
on request AJAX while @login_required
is not return content type json
or html
to client,
https://docs.djangoproject.com/en/1.10/topics/auth/default/#django.contrib.auth.decorators.login_required,
now for subject this ticket ok i will write to google group
comment:4 by , 8 years ago
Resolution: | → wontfix |
---|---|
Status: | assigned → closed |
Summary: | check login_required ajax users decorators and superuser decorators → Add a login_required decorator for AJAX requests |
Closing, pending further discussion on the mailing list.
Similar things have been suggested on Stackoverflow 1, 2. I'm not sure whether or not it needs to be in Django, after all it's only a few lines. You could write to the DevelopersMailingList to see what others think.