Geek Answers Handbook

Permissive decor doesn't work for me

I cannot understand why the resolution required by the decorator does not work. I would like to allow viewing access only for employees. I tried

@permission_required('request.user.is_staff',login_url="../admin") def series_info(request): ...

and

 @permission_required('user.is_staff',login_url="../admin") def series_info(request): ...

As a superuser, I can access the view, but any users that I create as employees cannot access it and are redirected to the login URL page. I tested the login_required decoder and it works great.

+6
django django-admin
source share
5 answers

permission_required() should be passed the name of the permission, not a Python expression in a string. Try this instead:

 from contrib.auth.decorators import user_passes_test def staff_required(login_url=None): return user_passes_test(lambda u: u.is_staff, login_url=login_url) @staff_required(login_url="../admin") def series_info(request) ...

Thank you It works. Do you have an example of how to use permission_required? From the docs.djangoproject.com/en/1.0/... and djangobook.com/en/2.0/chapter14 documentation, I thought that should work for me.

Reread the links you posted; permission_required() will check if a specific permission has been granted to the user. It does not check the attributes of a user object.

From http://www.djangobook.com/en/2.0/chapter14/ :

 def vote(request): if request.user.is_authenticated() and request.user.has_perm('polls.can_vote'): # vote here else: return HttpResponse("You can't vote in this poll.") # # # # # ### # def user_can_vote(user): return user.is_authenticated() and user.has_perm("polls.can_vote") @user_passes_test(user_can_vote, login_url="/login/") def vote(request): # vote here # # # # # ### # from django.contrib.auth.decorators import permission_required @permission_required('polls.can_vote', login_url="/login/") def vote(request): # vote here
+22
source share

Here's how I do it:

 from django.contrib.admin.views.decorators import staff_member_required @staff_member_required def series_info(request): ...

The documentation says staff_member_required:

A view decorator that verifies that the user is logged in and is an employee, displaying the login page if necessary.

+3
source share

Here is an example of behavior that I do not understand. I create a user, request and decorate a test function with check_required checks for 'is_staff'. If the user is a superuser, access to the test function is granted. If the user only has is_staff = True, access is not granted.

 from django.http import HttpRequest from django.contrib.auth.models import User from django.contrib.auth.decorators import permission_required @permission_required('is_staff') def test(dummy='dummy'): print 'In test' mb_user = User.objects.create_user('mitch', ' mb@home.com ', 'mbpassword') mb_user.is_staff = True req = HttpRequest() req.user = mb_user test(req) # access to test denied - redirected req.user.is_staff = False test(req) # same as when is_staff is True req.user.is_superuser = True test(req) # access to test allowed
+1
source share

By the way, if you use class-based views, you should wrap your decorator in the method_decorator decorator (figure):

 class MyView(DetailView): ... @method_decorator(permission_required('polls.can_vote', login_url=reverse_lazy('my_login'))) def dispatch(self, request, *args, **kwargs): .... blah .... class MyModel(models.Model): ... def has_perm(self perm, obj=None): if perm == 'polls.canvote': return self.can_vote()
+1
source share

This works for me in my table / project model:

 @permission_required('myApp.add_project') def create(request): # python code etc...

Obviously change add_project to add_ [regardless of your model / table]. To edit it:

@permission_required ('myApp.edit_project')

and delete:

@permission_required ('myApp.delete_project')

But I found that the main thing is to make sure your authentication tables are configured correctly. This caused me problems. Here is a MySQL SQL query that I wrote to check permissions if you use groups. This should work in most dB:

 select usr.id as 'user id',usr.username,grp.id as 'group id',grp.name as 'group name',grpu.id as 'auth_user_groups',grpp.id as 'auth_group_permissions',perm.name,perm.codename from auth_user usr left join auth_user_groups grpu on usr.id = grpu.user_id left join auth_group grp on grpu.group_id = grp.id left join auth_group_permissions grpp on grp.id = grpp.group_id left join auth_permission perm on grpp.permission_id = perm.id order by usr.id;

I found that my rights were not configured correctly, and also keep an eye on the django_content_type table, which should contain rows for each application and a table for each add, edit, delete. Therefore, if you have a project table, you should see this in django_content_type:

 id [generated by dB] app_label myApp model project

If you are having problems, another good idea is to enable and use the django admin application. This will show you where your problems are, and by setting some testing permissions, users and groups, you can then examine the tables discussed above to see what is inserted there. This will give you an idea of ​​how authorization permissions work.

I write this to save someone from having to spend several hours figuring out what I did!

0
source share

More articles:


All Articles