Opened 8 years ago

Closed 8 years ago

#3697 closed (wontfix)

ability to mark entire directory (and subdirs) as login_required/is_staff

Reported by: Simon G. <dev@…> Owned by: nobody
Component: Core (Other) Version: master
Severity: Keywords: pie-in-the-sky-feature-requests
Cc: dev@… Triage Stage: Design decision needed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

It would be very nice to have the ability to mark an entire directory (URL Path) as login_required/etc. For example, everything below /admin/ should be checked with is_staff.

There are a number of reasons for this:

1) it's tidier and more DRY-ish to not have decorators on every single view.

2) it's safer - by decorating a directory rather than every view, you're less likely to forget one.

3) it's a common system - generally everything under /admin/ needs a staff member, everything in /user/ needs a logged in user, etc.

I'm not sure how this could be done - possibly by adding a parameter to a URL conf (although I don't know if that's the "right" place), or by setting a flag in a views file.

Change History (7)

comment:1 Changed 8 years ago by Simon G. <dev@…>

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Design decision needed

comment:2 Changed 8 years ago by SmileyChris

While I'm not sure about tying this to URLs, I do like the sentiment that we need a way to lock all views down to login_required (or some other decorator) by default, turning this functionality off when not required.

It just makes plain security sense (just like *cough* auto-escaping).

comment:3 Changed 8 years ago by ubernostrum

It's possible in trunk to do something like this right now, because you can apply decorators the URLConf now. I'll think a bit about the best way to handle it.

comment:4 Changed 8 years ago by ubernostrum

Actually, I think the right solution here is middleware, not URL configuration (since it's something which needs to apply to every request); Jared Kuolt wrote a middleware which does that, and posted it here: http://superjared.com/entry/requiring-login-entire-django-powered-site/

comment:5 Changed 8 years ago by Simon G. <dev@…>

He's written an updated middleware here: http://superjared.com/entry/requiring-login-entire-django-powered-site-redux/ and this may be a good thing to include in contrib?

comment:6 Changed 8 years ago by Simon G. <dev@…>

...and I clicked submit too quickly: This would give us fine-grained control (i.e. login_required/etc already block at a view level), and the middleware works site-wide, but there's still plenty of room in the middle for "mark this entire chunk of my site as login_required".

& #3784 is a dupe.

comment:7 Changed 8 years ago by adrian

  • Resolution set to wontfix
  • Status changed from new to closed

The middleware posted in an above comment is a solution.

Note: See TracTickets for help on using tickets.
Back to Top