Opened 4 weeks ago

Closed 4 weeks ago

#35932 closed New feature (wontfix)

Add a LOGIN_REQUIRED_URLS_EXCEPTIONS for LoginRequiredMiddleware

Reported by: levimoore Owned by:
Component: contrib.auth Version: dev
Severity: Normal Keywords:
Cc: Mariusz Felisiak Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

LoginRequired middleware is great for security but it makes it tough to use third party libraries like django auth or django cookies when they have their own urls and you can't make them not required unless you make your won custom views and add the decorator. The workarounf is makign a custom middleware like this

class CustomLoginRequiredMiddleware(LoginRequiredMiddleware):
    def __init__(self, get_response):
        super().__init__(get_response)
        # Compile the regex patterns
        self.exempt_urls = [
            re.compile(pattern) for pattern in settings.LOGIN_REQUIRED_URLS_EXCEPTIONS
        ]

    def process_view(self, request, view_func, view_args, view_kwargs):
        path = request.path_info
        # First check our exempt URLs
        if any(pattern.match(path) for pattern in self.exempt_urls):
            return None

        # If not exempt, continue with normal login required check
        return super().process_view(request, view_func, view_args, view_kwargs)

but to do this in every proejct is not ideal for the growth of django

instead it should be by default allowable to have routes that dont need to be logged into by the settings.py file like

LOGIN_REQUIRED_URLS_EXCEPTIONS = [
    r"^/accounts/",  # allauth URLs
    r"^/cookies/",  # cookie consent URLs
    r"^/static/",  # static files
    r"^/media/",  # media files
    r"^/admin/admin_sso/",
    # Add any other paths you want to exempt from login
]

Change History (1)

comment:1 by Mariusz Felisiak, 4 weeks ago

Cc: Mariusz Felisiak added
Easy pickings: unset
Resolution: wontfix
Status: newclosed
Type: Cleanup/optimizationNew feature
Version: 5.1dev

If this is something you need when using 3rd party authorization packages, you should propose this as a new feature to one of those packages, not to Django itself. Adding a new setting is always controversial (we already have plenty of them), especially for use in one location that can be easily customized. Last but not least you can always use the @login_not_required decorator.

Note: See TracTickets for help on using tickets.
Back to Top