Opened 17 years ago
Closed 17 years ago
#3697 closed (wontfix)
ability to mark entire directory (and subdirs) as login_required/is_staff
| Reported by: | Owned by: | nobody | |
|---|---|---|---|
| Component: | Core (Other) | Version: | dev |
| Severity: | Keywords: | pie-in-the-sky-feature-requests | |
| Cc: | dev@… | Triage Stage: | Design decision needed |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
It would be very nice to have the ability to mark an entire directory (URL Path) as login_required/etc. For example, everything below /admin/ should be checked with is_staff.
There are a number of reasons for this:
1) it's tidier and more DRY-ish to not have decorators on every single view.
2) it's safer - by decorating a directory rather than every view, you're less likely to forget one.
3) it's a common system - generally everything under /admin/ needs a staff member, everything in /user/ needs a logged in user, etc.
I'm not sure how this could be done - possibly by adding a parameter to a URL conf (although I don't know if that's the "right" place), or by setting a flag in a views file.
Change History (7)
comment:1 by , 17 years ago
| Triage Stage: | Unreviewed → Design decision needed |
|---|
comment:2 by , 17 years ago
comment:3 by , 17 years ago
It's possible in trunk to do something like this right now, because you can apply decorators the URLConf now. I'll think a bit about the best way to handle it.
comment:4 by , 17 years ago
Actually, I think the right solution here is middleware, not URL configuration (since it's something which needs to apply to every request); Jared Kuolt wrote a middleware which does that, and posted it here: http://superjared.com/entry/requiring-login-entire-django-powered-site/
comment:5 by , 17 years ago
He's written an updated middleware here: http://superjared.com/entry/requiring-login-entire-django-powered-site-redux/ and this may be a good thing to include in contrib?
comment:6 by , 17 years ago
...and I clicked submit too quickly: This would give us fine-grained control (i.e. login_required/etc already block at a view level), and the middleware works site-wide, but there's still plenty of room in the middle for "mark this entire chunk of my site as login_required".
& #3784 is a dupe.
comment:7 by , 17 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
The middleware posted in an above comment is a solution.
While I'm not sure about tying this to URLs, I do like the sentiment that we need a way to lock all views down to login_required (or some other decorator) by default, turning this functionality off when not required.
It just makes plain security sense (just like *cough* auto-escaping).