diff options
| author | Hisham Mahmood <hishammahmood41@gmail.com> | 2024-05-05 11:21:28 +0500 |
|---|---|---|
| committer | Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> | 2024-05-22 08:51:17 +0200 |
| commit | c7fc9f20b49b5889a9a8f47de45165ac443c1a21 (patch) | |
| tree | 113e55d5b047f479375638c1f17d9c127aedf618 /docs | |
| parent | 7857507c7fc43350701700d4215a37baea7655f0 (diff) | |
Fixed #31405 -- Added LoginRequiredMiddleware.
Co-authored-by: Adam Johnson <me@adamj.eu>
Co-authored-by: Mehmet İnce <mehmet@mehmetince.net>
Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/ref/checks.txt | 4 | ||||
| -rw-r--r-- | docs/ref/middleware.txt | 58 | ||||
| -rw-r--r-- | docs/ref/settings.txt | 5 | ||||
| -rw-r--r-- | docs/releases/5.1.txt | 14 | ||||
| -rw-r--r-- | docs/topics/auth/default.txt | 17 |
5 files changed, 96 insertions, 2 deletions
diff --git a/docs/ref/checks.txt b/docs/ref/checks.txt index efc8cf666a..d78a6f76b2 100644 --- a/docs/ref/checks.txt +++ b/docs/ref/checks.txt @@ -868,6 +868,10 @@ The following checks are performed on the default for its builtin permission names to be at most 100 characters. * **auth.E012**: The permission codenamed ``<codename>`` of model ``<model>`` is longer than 100 characters. +* **auth.E013**: In order to use + :class:`django.contrib.auth.middleware.LoginRequiredMiddleware`, + :class:`django.contrib.auth.middleware.AuthenticationMiddleware` must be + defined before it in MIDDLEWARE. ``contenttypes`` ---------------- diff --git a/docs/ref/middleware.txt b/docs/ref/middleware.txt index 63b38da0a0..ba9bef7e6f 100644 --- a/docs/ref/middleware.txt +++ b/docs/ref/middleware.txt @@ -495,6 +495,58 @@ Adds the ``user`` attribute, representing the currently-logged-in user, to every incoming ``HttpRequest`` object. See :ref:`Authentication in web requests <auth-web-requests>`. +.. class:: LoginRequiredMiddleware + +.. versionadded:: 5.1 + +Redirects all unauthenticated requests to a login page. For admin views, this +redirects to the admin login. For all other views, this will redirect to +:setting:`settings.LOGIN_URL <LOGIN_URL>`. This can be customized by using the +:func:`~.django.contrib.auth.decorators.login_required` decorator and setting +``login_url`` or ``redirect_field_name`` for the view. For example:: + + @method_decorator( + login_required(login_url="/login/", redirect_field_name="redirect_to"), + name="dispatch", + ) + class MyView(View): + pass + + + @login_required(login_url="/login/", redirect_field_name="redirect_to") + def my_view(request): ... + +Views using the :func:`~django.contrib.auth.decorators.login_not_required` +decorator are exempt from this requirement. + +.. admonition:: Ensure that your login view does not require a login. + + To prevent infinite redirects, ensure you have + :ref:`enabled unauthenticated requests + <disable-login-required-middleware-for-views>` to your login view. + +**Methods and Attributes** + +.. attribute:: redirect_field_name + + Defaults to ``"next"``. + +.. method:: get_login_url() + + Returns the URL that unauthenticated requests will be redirected to. If + defined, this returns the ``login_url`` set on the + :func:`~.django.contrib.auth.decorators.login_required` decorator. Defaults + to :setting:`settings.LOGIN_URL <LOGIN_URL>`. + +.. method:: get_redirect_field_name() + + Returns the name of the query parameter that contains the URL the user + should be redirected to after a successful login. If defined, this returns + the ``redirect_field_name`` set on the + :func:`~.django.contrib.auth.decorators.login_required` decorator. Defaults + to :attr:`redirect_field_name`. If ``None`` is returned, a query parameter + won't be added. + .. class:: RemoteUserMiddleware Middleware for utilizing web server provided authentication. See @@ -597,6 +649,12 @@ Here are some hints about the ordering of various Django middleware classes: After ``SessionMiddleware``: uses session storage. +#. :class:`~django.contrib.auth.middleware.LoginRequiredMiddleware` + + .. versionadded:: 5.1 + + After ``AuthenticationMiddleware``: uses user object. + #. :class:`~django.contrib.messages.middleware.MessageMiddleware` After ``SessionMiddleware``: can use session-based storage. diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt index fdd44a887d..ee25eab0dd 100644 --- a/docs/ref/settings.txt +++ b/docs/ref/settings.txt @@ -3060,8 +3060,9 @@ Default: ``'/accounts/login/'`` The URL or :ref:`named URL pattern <naming-url-patterns>` where requests are redirected for login when using the :func:`~django.contrib.auth.decorators.login_required` decorator, -:class:`~django.contrib.auth.mixins.LoginRequiredMixin`, or -:class:`~django.contrib.auth.mixins.AccessMixin`. +:class:`~django.contrib.auth.mixins.LoginRequiredMixin`, +:class:`~django.contrib.auth.mixins.AccessMixin`, or when +:class:`~django.contrib.auth.middleware.LoginRequiredMiddleware` is installed. .. setting:: LOGOUT_REDIRECT_URL diff --git a/docs/releases/5.1.txt b/docs/releases/5.1.txt index faaa5c9833..f2b7663576 100644 --- a/docs/releases/5.1.txt +++ b/docs/releases/5.1.txt @@ -26,6 +26,20 @@ only officially support the latest release of each series. What's new in Django 5.1 ======================== +Middleware to require authentication by default +----------------------------------------------- + +The new :class:`~django.contrib.auth.middleware.LoginRequiredMiddleware` +redirects all unauthenticated requests to a login page. Views can allow +unauthenticated requests by using the new +:func:`~django.contrib.auth.decorators.login_not_required` decorator. + +The :class:`~django.contrib.auth.middleware.LoginRequiredMiddleware` respects +the ``login_url`` and ``redirect_field_name`` values set via the +:func:`~.django.contrib.auth.decorators.login_required` decorator, but does not +support setting ``login_url`` or ``redirect_field_name`` via the +:class:`~django.contrib.auth.mixins.LoginRequiredMixin`. + Minor features -------------- diff --git a/docs/topics/auth/default.txt b/docs/topics/auth/default.txt index 795a1bdacc..1d2ea8132d 100644 --- a/docs/topics/auth/default.txt +++ b/docs/topics/auth/default.txt @@ -656,8 +656,25 @@ inheritance list. ``is_active`` flag on a user, but the default :setting:`AUTHENTICATION_BACKENDS` reject inactive users. +.. _disable-login-required-middleware-for-views: + .. currentmodule:: django.contrib.auth.decorators +The ``login_not_required`` decorator +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. versionadded:: 5.1 + +When :class:`~django.contrib.auth.middleware.LoginRequiredMiddleware` is +installed, all views require authentication by default. Some views, such as the +login view, may need to disable this behavior. + +.. function:: login_not_required() + + Allows unauthenticated requests without redirecting to the login page when + :class:`~django.contrib.auth.middleware.LoginRequiredMiddleware` is + installed. + Limiting access to logged-in users that pass a test ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |