Login required without exception, permission required with about django-braces HOT 15 CLOSED

So what do you see as a solution to this, @benbacardi ? Seems unwieldy to have a distinct class variable for each different mixin.

from django-braces.

Yes, it would be unwieldy to have different class variables for each different mixin. Perhaps something like this on the LoginRequiredMixin:

class LoginRequiredMixin(AccessMixin):
    """
    View mixin which verifies that the user is authenticated.

    NOTE:
        This should be the left-most mixin of a view, except when
        combined with CsrfExemptMixin - which in that case should
        be the left-most mixin.
    """
    redirect_unauthenticated_users = False

    def dispatch(self, request, *args, **kwargs):
        if not request.user.is_authenticated():
            if self.raise_exception and not self.redirect_unauthenticated_users:
                raise PermissionDenied  # return a forbidden response
            else:
                return redirect_to_login(request.get_full_path(),
                                         self.get_login_url(),
                                         self.get_redirect_field_name())

        return super(LoginRequiredMixin, self).dispatch(
            request, *args, **kwargs)

With the above flag, all existing implementations will work fine, but if you have a LoginRequiredMixin with any other AccessMixin, and raise_exception set to True, you could add redirect_unauthenticated_users = True to allow the LoginRequiredMixin to redirect but all other mixins to raise an exception?

from django-braces.

Any reason why you'd ever want to redirect to a login page if the user is logged in and doesnt have permissions to view the page? IMO the current implementation is flawed, every Mixin that checks user attributes should redirect to the login page if the user is not authenticated. If he is logged in but is not authenticated to view the page, simply return a 403 page

from django-braces.

@Raydiation That's kind of my point, yes - I'd like to be able to throw a 403 if they are logged in and don't have permissions, but redirect to login if they're not logged in.

@kennethlove Any thoughts on my proposed solution?

from django-braces.

I ran into this use case today as well. My user is logged in but not authorized so it's sending them to the login page, which redirects them back to the view ad nauseam until a loop threshold is reached.

@benbacardi solution seems reasonable to me.

from django-braces.

I used braces thinking that this was possible. Turns out it is not. Has anyone tried to add this feature?

from django-braces.

@ryancurrah @scottwoodall @benbacardi @Raydiation We've been looking into it but haven't settled on an official solution yet. Whatever we do, we'd like it to be backwards-compatible if possible, so we're being a bit more cautious here.

from django-braces.

@kennethlove My solution is backwards compatible, did you have any thoughts on it?

from django-braces.

@benbacardi sorry, I think I missed it! That is a really solid solution.

Mind submitting an actual pull request with tests and docs? :)

from django-braces.

Thanks as well @benbacardi good solution using it now!

from django-braces.

This is my solution to address this issue.

from django.core.exceptions import PermissionDenied
from braces.views import (LoginRequiredMixin, PermissionRequiredMixin)

class MyPermissionRequiredMixin(PermissionRequiredMixin):
    def no_permissions_fail(self, request=None):
        if request and request.user.is_authenticated():
            raise PermissionDenied
        return super(MyPermissionRequiredMixin, self).no_permissions_fail(request)

class MyView(LoginRequiredMixin, MyPermissionRequiredMixin):
    ...
    raise_exception = False # i.e. the default value

from django-braces.

I think this issue can be closed now can't it?

from django-braces.

I was having this same issue and found an even easier solution than [1]:

class MyStaffUserRequiredMixin(StaffuserRequiredMixin):
    raise_exception = True

class MyView(LoginRequiredMixin, MyStaffUserRequiredMixin):
    ...

[1] #88 (comment)

from django-braces.

Oops, that didn't actually work, as it also overrode the value in LoginRequiredMixin. :(

from django-braces.

For reference, this appears to have been merged in PR #131, and could be closed therefore.

For reference: I have moved the redirect_unauthenticated_users attribute to the base class in my PR (#145), which allows for more control of handling the non-authenticated case - which might be interesting for specific use cases mentioned here.

from django-braces.