I'm using django-contrib-comments, and I'm wondering how to ban anonymous users from posting comments.
Simply not displaying the form to anonymous users is not enough, since anonymous users can still post requests to the correct URL. It is possible to work out the CSRF token and the security_hash token as well from previous responses, so that's not enough.
If your goal is to disallow anonymous users to post comments, you can try to override the default supplied urls. Add login_required to the post_comment view. Do this by modifying urls.py for your django project:
from django.conf.urls import url, include
from django.contrib.auth.decorators import login_required
from django_comments.views.comments import post_comment
urlpatterns = [
...
# the line below will override the url supplied in django_comments.urls
url(r'^comments/post/$', login_required(post_comment), name='comments-post-comment'),
url(r'^comments/', include('django_comments.urls')),
...
]
Whenever a request is made to /comments/post/, it will use the login_required version of the view, as the pattern will be matched before the one in django_comments.urls.
