Access mixins
A lot of time is spent handling authentication and authorization in Django projects, from setting up your methods to special rules for special views. These mixins are aimed at making it easier to control access to your view.
PassesTestMixin
The PassesTestMixin is the base for most of the mixins in this module.
It requires you to provide a method and that method's name. The view will
run that method before anything happens in dispatch. If the test method
returns False or an equivalent, the view's dispatch method will be
skipped and the handle_test_failure method will be called. Override
handle_test_failure to control what happens when the request doesn't
pass your test.
from brackets.mixins import PassesTestMixin
class IndexView(PassesTestMixin, TemplateView):
dispatch_test = "is_unchained"
def is_unchained(self):
return not self.request.is_chained
The above view would require a request to have is_chained defined and
falsey in order to pass and the view be executed. By overriding
get_test_method, you can control how the dispatch test is discovered.
Overriding handle_test_failure will let you customize what happens after
a failed test.
Using this mixin, you can create all of the other mixins in this module. That's what we did.
PassOrRedirectMixin
The PassOrRedirectMixin combines two powerful mixins: PassesTestMixin
and the [RedirectMixin] from the redirect mixins.
If the view's test doesn't pass, by default the request will be redirected
to whatever URL you provide in the redirect_url attribute. If you'd like
to control how the redirection is accomplished, override redirect. If
you'd like to customize how the redirect URL is discovered, you'll want
to override get_redirect_url.
from brackets.mixins import PassOrRedirectMixin
class InOrOutView(PassOrRedirectMixin, View):
redirect_url = "/login/"
redirect_unauthenticated_users = True
The redirect_unauthenticated_users attribute directs the mixin to either
use the redirect method or to use whatever failure handler is next in
the chain.
SuperuserRequiredMixin
The SuperuserRequiredMixin is a fairly unsurprising mixin. If the user
requesting the view is not authenticated and a superuser, they're redirected
elsewhere. You'll want to override the default test_superuser if you
have a special way of determining user levels.
from brackets.mixins import SuperuserRequiredMixin
class PhoneBooth(SuperuserRequiredMixin, DetailView): ...
StaffUserRequiredMixin
Much like SuperuserRequiredMixin, the StaffUserRequiredMixin requires
the view to be requested by a user where is_staff is True. If you need
to customize this discovery, override test_staffuser.
from brackets.mixins import StaffUserRequiredMixin
class WizardInventory(StaffUserRequiredMixin, DetailView): ...
GroupRequiredMixin
The GroupRequiredMixin is a little different from SuperuserRequired
and StaffUserRequired. It will take a single group name or a list of
group names, and then ensure that the requesting user is in at least one
of them.
from brackets.mixins import GroupRequiredMixin
class PrivateGroupView(GroupRequiredMixin, ListView):
group_required = "private_group"
Overriding check_membership will let you customize this membership
requirement.
AnonymousRequiredMixin
One of the simplest mixins, the AnonymousRequiredMixin redirects any
requests coming from an authenticated user. This mixin is useful on views
related to login or account creation, since there's little to no reason
for an authenticated user to be on those pages.
from brackets.mixins import AnonymousUserMixin
class NewSubscriberBenefits(AnonymousUserRequiredMixin, DetailView): ...
LoginRequiredMixin
Much like the AnonymousRequiredMixin, the LoginRequiredMixin redirects
any requests that aren't from an authenticated user.
from brackets.mixins import LoginRequiredMixin
class MembersOnly(LoginRequiredMixin, DetailView): ...
RecentLoginRequiredMixin
The RecentLoginRequiredMixin is exactly the same as the LoginRequiredMixin
except that it checks the age of the user's authentication. Overriding
max_age with a new value, in seconds, will allow you to control how
long they can go between authentications.
from brackets.mixins import RecentLoginRequiredMixin
class MembersOnly(RecentLoginRequiredMixin, DetailView):
max_age: 3600 # They must login within the last hour
PermissionRequiredMixin
The PermissionRequiredMixin is probably the most complex of the
access-related mixins. Permissions are a very customizable system in Django.
In this mixin, too, you're allowed to have optional and required permissions.
The permission_required attribute is where most of the work is done.
It's expected to be a dictionary with two keys: "all" and "any". The
"all" key indicates permissions which the user must have, and they
must have all of them. The "any" list of permissions, though, will
allow a user through if they have any of the listed permissions.
from brackets.mixins import PermissionRequiredMixin
class EditAccountView(PermissionRequiredMixin, UpdateView):
permission_required = {
"all": ["account.can_edit"],
"any": ["account.can_manage", "account.can_administer"]
}
The above view would require a user to have the account.can_edit permission.
The user wouldn't have to have both the account.can_manage or
account.can_administer permissions. In fact, they don't have to have
either! "any" also allows for "none".
SSLRequiredMixin
The SSLRequiredMixin only allows through requests that come from a secure
connection. By default, requests are redirected to their https equivalent.
You can control this by setting redirect_to_ssl to False; the view
will now return a BadRequest instead of redirecting.
from brackets.mixins import RecentLoginRequiredMixin
class WeTakeSecuritySeriously(SSLRequiredMixin, TemplateView):
redirect_to_ssl = False
If you need to customize the redirection, override handle_test_failure.