How to prevent users from seeing all content in Django?

Question

I have a website and I want to prevent visitors to seeing content unless they have permission. How can I restrict them?

Joshua · Answer 1 · 2021-12-17T23:07:47.630

I recommend taking a look at Permissions and Authorization in the django docs.

Here is one way of doing this:

In your User model:

class User(AbstractUser):
    @property
    def has_permission_I_want(self):
        # check permissions here
        # return True or False

In a view:

from django.contrib.auth.decorators import user_passes_test
@user_passes_test(user.has_permission_I_want)
def some_view(request)
  # Some code here

Or limiting content within a page, pass user into the template dict from the view:

return render(
            request, "app/some_page.html",
            {"user": request.user}
        )

and in the template:

{% if user.has_permission_I_want %}
<p> You can see this content </p>
{% endif %}

Also checkout this SO question.

score 0 · Answer 2 · answered Dec 18 '21 at 08:17

If you want to make it so that a user has to log in to access a function, you could

from django.contrib.auth.decorators import login_required
@login_required
def some_view(request):
    # Some code inside the function

Check for permissions without using a decorator:

# models.py
from django.db import models
class UserProfile(models.Model):
    has_permission = False

While registering a user, create a record in UserProfile

# admin.py
from django.contrib import admin
from app.models import UserProfile
admin.register(UserProfile)

And then head over to the admin to set permissions

def some_view(request):
    user_profile = UserProfile.objects.get(id=request.user.pk)
    if userprofile.has_permission:
        # Give permission
    else:
        # Deny permission

Creating a decorator

Create a file, decorators.py in the app

from django.core.exceptions import PermissionDenied
from simple_decorators.apps.models import Entry

def check_if_deleter_is_author(function):
    def wrap(request, *args, **kwargs):
        post = Post.objects.get(pk=kwargs['post_id'])
        if post.created_by == request.user:
            return function(request, *args, **kwargs)
        else:
            raise PermissionDenied
    wrap.__doc__ = function.__doc__
    wrap.__name__ = function.__name__
    return wrap

# views.py
from app.decorators import check_if_deleter_is_author
@check_if_deleter_is_author
def some_view(request):
    # Some code to delete the post

score 0 · Accepted Answer · answered Dec 21 '21 at 20:47

Restrict access to logged in users in Function based views

If you’re using function based views you can simply restrict all access to the view to users who are logged in, by decorating the function with the @login_required decorator.

from django.contrib.auth.decorators import login_required

@login_required
def my_view(request):
    return HttpResponse()

The result of this will be that any user who is not logged in and who tries to access the view by its URL will be redirected to the login page of your website. Note that this decorator does not check if the user is active or not (using the is_active property), it only checks if the user is logged in or not.

Source

How to prevent users from seeing all content in Django?

3 Answers3

If you want to make it so that a user has to log in to access a function, you could

Check for permissions without using a decorator:

Creating a decorator