I am trying to limit access to pages using 2 user levels. Superuser and admin. Super user is a regular Django user with 'is_superuser' assigned. Admin user is also a regular user with only the 'is_staff' permission assigned.
The problem is that when i use this decorator for an admin user, it doesn't pass the开发者_开发技巧 test:
@permission_required('is_staff')
def my_view(....)
@permission_required('is_staff')
returns false for anonymous users. (correct)
@permission_required('is_superuser')
only returns true for superusers (correct)
@permission_required('is_staff')
returns FALSE for users with the 'is_staff' perm assigned. (wrong).
Any thoughts?
is_staff
isn't a permission so instead of permission_required
you could use:
@user_passes_test(lambda u: u.is_staff)
or
from django.contrib.admin.views.decorators import staff_member_required
@staff_member_required
for Class Based Views you can add permission_required('is_staff')
to the urls.py
:
from django.contrib.auth.decorators import permission_required
url(r'^your-url$', permission_required('is_staff')(YourView.as_view()), name='my-view'),
For class-based views, the UserPassesTestMixin is convenient, e.g.
class ImportFilePostView(LoginRequiredMixin, UserPassesTestMixin):
def test_func(self):
return self.request.user.is_staff
...
A variant of @arie 's answer without lambda which might be a tad faster (but I didn't check):
import operator
from django.contrib.auth.decorators import user_passes_test
@user_passes_test(operator.attrgetter('is_staff'))
def my_view(....)
Having said that, I think the better approach is to create a Permission
for your view and use it with the permission_required
decorator.
精彩评论