Django Require Login

Forked from django-stronghold

Require login on all your django URLs by default

Supported Versions

• Python 3.8, 3.9, 3.10, 3.11
• Django 4.0, 4.1, 4.2

Installation and Setup

Install via pip.

pip install django-require-login

Then add the middleware to your MIDDLEWARE in your Django settings file

MIDDLEWARE = [
    #...
    "django_require_login.middleware.LoginRequiredMiddleware",
]

After adding the middleware, all your Django views will default to login required.

If your LOGIN_URL and LOGOUT_REDIRECT_URL contain a named URL pattern add REQUIRE_LOGIN_PUBLIC_NAMED_URLS to your settings file with your LOGIN_URL and LOGOUT_REDIRECT_URL

REQUIRE_LOGIN_PUBLIC_NAMED_URLS = (LOGIN_URL, LOGOUT_REDIRECT_URL)

If your LOGIN_URL and LOGOUT_REDIRECT_URL don't contain a named URL pattern add REQUIRE_LOGIN_PUBLIC_URLS to your settings file with your LOGIN_URL and LOGOUT_REDIRECT_URL

REQUIRE_LOGIN_PUBLIC_URLS = (LOGIN_URL, LOGOUT_REDIRECT_URL)

Usage

To make a view public again you can use the public decorator:

For function based views

from django_require_login.decorators import public
from django.http import HttpResponse


@public
def my_view(request):
    return HttpResponse("Public")

For class based views (decorator)

from django.utils.decorators import method_decorator
from django_require_login.decorators import public
from django.views.generic import View
from django.http import HttpResponse


class SomeView(View):
    def get(self, request, *args, **kwargs):
        return HttpResponse("Public view")
    
    @method_decorator(public)
    def dispatch(self, *args, **kwargs):
        return super().dispatch(*args, **kwargs)

For class based views (mixin)

from django_require_login.mixins import PublicViewMixin
from django.views.generic import View


class SomeView(PublicViewMixin, View):
	pass

Configuration (optional)

You can add a tuple of url regexes in your settings file with the REQUIRE_LOGIN_PUBLIC_URLS setting. Any url that matches against these patterns will be made public without using the @public decorator.

REQUIRE_LOGIN_PUBLIC_URLS

Default:

REQUIRE_LOGIN_PUBLIC_URLS = ()

Development Defaults

If DEBUG is True, REQUIRE_LOGIN_PUBLIC_URLS contains:

from django.conf import settings

(
    r'{}.+$'.format(settings.STATIC_URL),
    r'{}.+$'.format(settings.MEDIA_URL),
)

This is additive to your settings to support serving static files and media files from the development server. It does not replace any settings you may have in REQUIRE_LOGIN_PUBLIC_URLS.

Note: Public URL regexes are matched against HttpRequest.path_info.

REQUIRE_LOGIN_PUBLIC_NAMED_URLS

You can add a tuple of url names in your settings file with the REQUIRE_LOGIN_PUBLIC_NAMED_URLS setting. Names in this setting will be reversed using django.urls.reverse and any url matching the output of the reverse call will be made public without using the @public decorator:

Default:

REQUIRE_LOGIN_PUBLIC_NAMED_URLS = ()

REQUIRE_LOGIN_USER_TEST_FUNC

Optionally, set REQUIRE_LOGIN_USER_TEST_FUNC to a callable to limit access to users that pass a custom test. The callback receives a User object and should return True if the user is authorized. This is equivalent to decorating a view with user_passes_test.

Example:

REQUIRE_LOGIN_USER_TEST_FUNC = lambda user: user.is_staff

Default:

REQUIRE_LOGIN_USER_TEST_FUNC = lambda user: user.is_authenticated

Integration with Django REST Framework

Django REST Framework is not part of Django and uses its own authentication system. For this reason, you need to make all of your DRF views public and rely on DRF's authentication system.

Example

Assuming all your DRF views live under /api/ you can make them all public using a regex:

REQUIRE_LOGIN_PUBLIC_URLS = (r"^/api/.*",)

Security

If you believe you've found a bug with security implications, please do not disclose this issue in a public forum.

Email us at [email protected]

Contribute

See CONTRIBUTING.md